Skip to content

Are You Ready? FCA Restatement Puts UK Social Media Programmes on Alert

The FCA recently published guidance reiterating a long-standing mandate of the regulator: the onus is on FCA-regulated organisations to monitor employee behaviour for bad actors. Therefore, even if conduct isn’t tied to a specific rule, poor behaviour that results in someone getting harmed will see the FCA take action.

For firms doing business in the United Kingdom, it’s time to ask whether you are sufficiently prepared for the restatement of this mandate. Essentially, the FCA is putting those firms on notice that certain activities that pertain to conduct—including communications across social networks—will now be under greater scrutiny. 

In conjunction with the Senior Managers and Certification Regime (“SMCR”), which makes senior management accountable, the FCA’s restatement puts further responsibility on leadership to ensure their employees are acting in a way that is consistent with their policies.  

To proactively manage this risk, forward-looking programmes should review their compliance and supervision policies and procedures to ensure that they account for the FCA’s guidance, and that the four pillars of a robust compliance programme are fit-for-purpose.

Anyone involved in a client engagement programme (marketing, compliance, sales) can utilise the questions below to assess the readiness of their existing programme.

  • Policies
    • Have you outlined acceptable behaviour as it relates to electronic communications?
    • Have you defined which channels (SMS, social media, instant messaging) are permitted, and by whom?
    • Do you have a procedure in place to periodically review and update your policies as needed?
    • Is your senior leadership involved in the sign-off of those policies?
  • Content
    • Do you have controls in place to ensure you’re distributing only fair and balanced (not misleading) content?
    • Do you have a way to monitor for recommendations that may not be appropriate for either content or audience?
    • Have you held training sessions with your employees on policies, including recording attendance?
  • Supervision
    • Have you assessed your pre-approval and post-approval breakdown of financial promotions to ensure appropriateness for your business model?
    • Do you have lexicons in place that block or flag problematic content?
    • Are there people in the approval workflow with the requisite training and/or experience?
    • Does your Senior Management have sufficient insight into your electronic communication regime, including social media or text messaging, to satisfy their Duty of Responsibility under SMCR?
  • Archiving
    • Are you capturing all of your social media posts, profiles, and audit trails for each step during the approval workflow?
    • Are they being stored in a way that is consistent with the applicable regulations (e.g. durable media for MiFID-related communications)?
    • Do you have a way to reliably and quickly retrieve these records in the event that you need them?

While these are not the only questions that a Senior Manager should ask, they can lay the groundwork for an internal dialogue that reassesses your response preparedness. All firms should strive to understand the implications of this restatement, and enforce effective policies and procedures as part of their ongoing oversight. 

Stop the insanity! What financial services firms can learn from the GameStop frenzy

Accessing—and acting upon—financial advice seen on social media platforms is nothing new. But not until the recent trading frenzy around GameStop has this new reality come under sharp scrutiny. After retail investors on a Reddit discussion board drove an astronomical increase in stock value, GameStop stock is now sharply falling. The resulting volatility has led to a market valuation swing of over $30 billion for the company in just this year.

The potential for outsized risk and high-stakes consequences resulting from crowdsourced actions born on social media platforms has never been more apparent. And while the reputation risk for firms that must oversee advisors’ social media behavior has always been a concern, the legal risk is real as well.

To protect themselves and their advisors on social media, financial services firms can implement three key steps:

  1. Communicate a clear social media strategy for personnel. This should include how and what channels they can use, the content they can publish—including which original content or corporate-provided content they may modify—and what supervision process they need to undergo. Additionally, the policy should address firm expectations pertaining to the use of social media during non-business hours, any prohibited use-cases, and include the repercussions of not abiding by the policy.
  1. Employ automated supervision workflows to review advisor-created content prior to posting. This can be made more efficient by using a tool like Hearsay, which surfaces and remediates sensitive communications via an AI-powered alert system, so that supervisors can focus on high-risk violations. 
  1. Test adherence to the policy. In addition to having advisors attest to their understanding and adherence to the social media policy, firms should implement a program to test that social media usage aligns with the policy.

One takeaway from the past few weeks is that there continues to be a huge desire for financial advisors and their clients to connect and communicate using social media. At Hearsay, we saw a 24% increase in advisors actively using social media across our platform in 2020 vs. 2019. And a 2020 advisor survey by Putnam Investments found that 9 in 10 advisors say that not only has social media changed the nature of client relationships during the pandemic, but that this change is here to stay. Given the potential impact to an organization’s reputation and the viral nature of this medium, firms need to establish and secure proper guardrails in order to support and enhance the connections enabled by social media, while minimizing the risks.

Regulatory Scrutiny of Client Engagement is Here – Are You Ready?

In light of a recent SEC penalty, now is not the time to rely purely on policy.

As part of my role with Hearsay, I am frequently asked for compelling Compliance-grounded reasons why customers might contract our products and services. In the past, a recitation of the relevant rule and laws, in conjunction with reference to regulatory smite, was sufficient to sway any customer. Recently, however, the underlying motives behind this conversation seem to have shifted. It seems the relative cost of a compliant product and service – usually measured by the license fee, without consideration to the benefit of the product and service – is being weighed against the likelihood, or severity, of regulatory censure. This is a worrying development. Since regulatory frameworks typically don’t prescribe how firms comply with the obligations, some have increasingly shifted responsibility to the employee, adopting a policy prohibiting certain activity, but not actually monitoring results that regulators have become more adept at testing for.

This approach may reflect the softening of regulatory censure for non-compliant communication in the email, texting and social media messaging channels, with penalties decreasing in size and frequency. Over-indexing on this trend, however, strikes me as concerning. In just a few short months, brokers and advisors went from meeting a friend for lunch at a restaurant or attending an event, to maintaining those relationships digitally from their home. In order to adjust to the world of social distancing, market participants have had to rethink their engagement model to adapt to new realities. The uptick in the use of social media and text messaging is significant, Hearsay observed a 300% spike in digital communications since the onset of the global pandemic.

The adaptations of market participants – as well as ill-intentioned individuals – has not gone unnoticed to regulators who have issued myriad alerts, FAQs and guidance to protect investors and remind organizations of their obligations. This can be viewed as both a warning and an opportunity. To prepare for what I believe to be a more stringent environment around texting, firms should be looking at the controls they have for their social media and electronic communications programs, assessing whether the channels being used by their employees are permitted, being used effectively, and are compliant with their organizations’ regulatory obligations. It’s only a matter of time before regulatory sweeps start focusing on remote electronic communications.

For those firms that already permit, with controls, engagement on social media and through text messaging, now is the time to assess whether their programs and controls remain effective and adequately address regulatory obligations as well as pandemic related adjustments. Those that are relying on a policy to prohibit control must assess whether the policy is sufficient and to extensively test – remediating and sanctioning where necessary – the effectiveness of the prohibition. Case in point –  just recently the SEC levied a $100,000 penalty for over-reliance on policy and non-technical controls, such as attestations. This is indicative that such an approach can leave firms with a false sense of security regarding their texting program.

Regulatory scrutiny of such programs is already in progress and examiners have extensive tooling and a broad set of lenses by which to evaluate compliance (i.e., approved users/channels; content quality; required pre-approvals; extent & adequacy of post-review processes; accuracy & completeness of records made and retained). Given the rapid growth in the use of these channels, it does not seem unreasonable to expect a resurgence in the frequency and, for the most egregious cases, the size of penalties imposed by regulatory agencies in the ensuing months and years. As such, now does not strike me as the time to rely solely on a policy prohibiting certain activity, nor to ask whether implementing technical controls would be deemed a reasonable approach. Now is the time to ensure you have the appropriate solutions, processes, and expertise in place to confidently empower your field in a time when digital client engagement is table stakes.

The Key is Context – Unlocking the Modernization of Archiving & Supervision

Why mess with a good thing? Sometimes we hit on something that works so well that it never changes – like Coca Cola. Unfortunately, most things are not Coke and need to evolve. Email-based archiving – particularly when applied to client engagement activities across social and texting – is one of those areas begging to be modernized.

To meet regulatory recordkeeping requirements and standards (i.e., SEC, FINRA, CFTC, FCA and others), firms have long relied on an email-based approach to take delivery of client communications into their archives. Email-based archiving (SFTP) is akin to sending a package – data is stripped down and organized to fit nicely in a box that can be sorted in a similar way with all the other packages. While the approach results in compliance with archiving mandates, it hampers compliance teams, rendering them less effective and efficient. What this approach lacks is context. Activities are delivered into the archive sometimes as they occur – most commonly with a delay – and are siloed by channel, forcing supervision to piece together conversations that are taking place across days, networks, and channels. This approach conjures up images of old police TV mysteries with cork boards and pinned pieces of yarn to connect suspects – it doesn’t reflect the technological progress we’ve made in other areas of financial services.

However, that is beginning to change. As more efficient, modern methods of data transfer have been introduced, some firms are re-examining how this data is being transferred to them. Archiving via API provides full context of digital communications and real time access. They have a thread based on a full view of the interactions between two contacts instead of the legacy structure imposed by an email-based configuration.

With API-led approaches, firms are gaining real-time access to communications in order to bring speed and efficiency to the archiving and review process.  We’ve made investments in Hearsay’s Compliance API to offer real-time access to a stream of activities that unlocks integrations with API-led platforms simplifying and modernizing recordkeeping, supervision, and discovery. Critically this offers Supervision teams a unified view of activities across channels to see a full, clear picture, so that the right activities are flagged and remediated.

All this to say that now is the time for firms to consider evaluating whether their archiving processes are as effective as they could be. An API archiving process doesn’t require a massive transformation of the existing setup – for example Hearsay’s open APIs allow our platform to integrate seamlessly with existing infrastructure bringing more value to your existing compliance foundation. And as you evaluate options, our team stands ready to lend our expertise.

Sometimes, change is a good thing.