Skip to content

9 Ways to Use Social Media Compliantly From FINRA

At the recent 2018 Financial Industry Regulatory Authority (FINRA) Annual Conference, financial services compliance professionals explored how to embrace the future of communications while remaining compliant.
Amy Sochard, Senior Director in FINRA Advertising Regulation moderated a panel of Evan Charkes, Managing Director and Associate General Counsel, Bank of America Merrill Lynch; Robert Salvador, Chief Compliance Officer, Motif Investing, Inc.; and Nubiaa Shabaka, Global Head of Cybersecurity Legal and North America Head of Privacy and Data Protection Legal, Morgan Stanley. Together, they recapped nine key practices for compliant social media:
1. According to a poll conducted at FINRA, firms have some concerns about social media. Unauthorized social media accounts that cannot be supervised (or monitored) and the inability to capture and retain content are both key issues for compliance professionals. Other worries include possible cyberattacks, inadvertent sharing of personal information, embarrassment through inappropriate sharing, and false or misleading content. Industry practice: Put processes and controls in place to monitor and supervise social media communications.
2. When associated persons communicate through electronic medium, U.S. Securities and Exchange Commission (SEC) record-keeping rules apply, noted Sochard. This includes social media, instant messaging, text messaging and messaging appsIndustry practice: Deploy technology to capture and retain approved business communications wherever they occur.
3. Firms tend to prohibit the use of communications that can not be seen or managed in some way. Therefore, they are at risk of being out of compliance when clients reach out to associated persons and want to do business on prohibited communications channels, said Shabaka. “We train our employees that any type of communication that relates to business, and needs to be captured, should be redirected to the appropriate device or firm system that is able to capture those communications.” Industry practice: Firms need to “create reasonably designed supervisory processes and procedures that are reinforced through training,” said Charkes.
4. According to Sochard, there has been a “sea change” over the last few years from the concept of maintaining a “bright white line” between personal and business communications. Nowadays, there is a “real desire to allow associated persons to act as brand ambassadors and to let the world know about the firm’s brand without treading into an offer or a promotion of securities,” said Sochard. However, Charkes cautioned: “Think about how much risk your firm is willing to take in this area.” Industry practice: “According to FINRA Regulatory Notice 17-18, associated persons may use their personal social media to link to content on the firm’s websites or other digital properties, if the linked content is not related to the products or services of the firm,” explained Sochard.
5. According to FINRA, firms have recordkeeping, content and supervisory responsibilities when they “adopt” or “become entangled” in third party content. This includes the original digital communication and link as well as the specific content. FINRA draws the line at content accessed through secondary links, unless those links are a means to getting to that specific content. Industry practice: Many firms create a library of pre-approved third-party content for associated persons to share. However, due to copyright and branding issues, some more conservative firms avoid third party content altogether and only allow their associated persons to share content that has been created in house. (Note: The concept of “adoption and entanglement” is based on a SEC theory around the level of involvement in the creation of the content.)
6. Native advertising (communications that look and feel like news articles, but are really paid advertising) is permissible, according to Sochard. Industry practices: Firms need to adhere to FINRA’s Communications with the Public rules when using native advertising. These include certain content standards, not being misleading, and being upfront about paid advertisement, said Sochard. Charkes added that firms also should review guidance from the Federal Trade Commission (FTC) that states that native advertising needs to be clear, conspicuous and prominent.
7. The use of testimonials on social media has long been a question in the financial industry. From FINRA’s point of view, broker dealers may use customer testimonials in some specific circumstances and with proper disclosures. Due to space limitations, disclosures could be included via hyperlink, explained Sochard. FINRA has attempted to clear up industry confusion about regulatory requirements when a third party makes comments on a social media site, said Sohard. FINRA’s stance is that as long as the firm has neither “adopted nor become entangled” with the comment, then the firm would not be responsible for the advertising rules (such as supervision or the content of the comment) associated with it. However, if the firm “liked” or “shared” a comment, then the firm is considered to have “adopted” it, and hence now is responsible for it, and all rules would pertain. To make things more complex, testimonials are prohibited outright in the advisor space. Industry practices: Given industry complexities, and dually registered associates following two sets of rules,  firms tend to prohibit testimonials by policy or use technology to either disable or supervise endorsements when possible.
8. FINRA provides a regulatory distinction for the supervision of social media between “static” and “interactive” content, said Sochard. Static content, such as a profiles on LinkedIn, Facebook or Twitter, are viewed as akin to an advertisement and requires approval by the principal of the firm before being used for business. Interactive content, such as real-time communications, is viewed as correspondence and may be supervised (or reviewed) after the fact, just like how firms have been supervising correspondence almost 19 years, explained Sochard. Industry practices: Supervisory approaches vary across the industry. Some firms prohibit the use of social media for business and only check for possible violations; others only allow their associated persons to use a library of pre-approved content. Still others support both a library of pre-approved content plus allow their associated person to customize their content in real time.
9. “The intersectionality of privacy, cyber security and social media is very real,” said Shabaka. That’s because someone could gain access to your personal information based on what you post on social media. The repercussions can be financial loss, reputational risk, ID theft, legal and regulatory consequences, said Shabaka. Industry practice: Manage your risk by bringing data privacy, protection and cybersecurity into your compliance processes, said Sochard. Education and training is key, concluded Shabaka.

7 Ways That Silicon Valley Can Improve Its Work With The Government

This article was originally published in Forbes.
The American public recently learned that Silicon Valley needs to work with the government more effectively in order to protect the privacy of the consumer. At a recent event, “MONage, The Future of Communications”, Glenn S. Richards, Partner, Pillsbury Winthrop Shaw Pittman LLP, explained the overall importance of government regulations for the consumer and shared how the technology community can become more compliant. This is a summary of that presentation.

Why Are Regulations Important?

Innovators may outpace or even ignore regulators, but eventually, the government will find you, said Richards. Rather than wait, he suggests that firms proactively review the regulatory landscape that impacts their products and services and then design offerings with this in mind. Although innovators typically resist regulation, he described four compelling reasons that regulations exist:
Consumer protection. Whether it’s physical safety, such as autonomous vehicles, or privacy, consumer protection is important to regulators. There are now increasingly serious conversations about protecting the privacy of the consumer on social media. These concerns may result in pressures to move towards a more European privacy model of opting in or out. It’s important that firms capturing data gain consent from customers. Firms should also carefully consider how data is captured, stored, and accessed.
Public safety. In the post-9/11 world, the government wants to understand how technologies work, and how they can be used to find, and stop, persons that want to do harm to our country.
Level playing field. When disruptive technology enters the marketplace, the incumbents will naturally say “Whoa, all our regulations need to apply to these new guys too” said Richards. A natural question is why home sharing and ride sharing companies aren’t regulated in the same way as hotels and taxis. Although disrupters typically initially take the position that rules don’t apply to them, over time, they eventually submit to regulation.
Taxes. Governments always seek to tax revenues and broaden their tax base. When your products generate revenue, the government will took for its percentage. Even if it doesn’t initially know how to categorize what you are offering, they will eventually figure it out, said Richards.

7 Ways Technology Firms Can Become More Compliant

Given the importance of regulations, how should the technology industry proceed? Richards shared some advice about staying on the right side of the government and regulations when it comes to social media and other new technology:

  1. Look at the current regulatory landscape to understand the requirements. If none exist because your technology is unique, try to find similar technologies or services and determine how they are regulated.
  2. Design your product to meet the needs of people with disabilities. The government (particularly, the Federal Communications Commission (FCC)), is clear that newly developed technology must be able to be used by persons with physical disabilities.
  3. Be good corporate citizens. Make proper disclosures about what your services can and can’t do. Disclosures should be clear, conspicuous, and true. Disclosures will enhance your relationships with regulators and help you to avoid or mitigate lawsuits.
  4. Join trade associations. Trade associations will help your firm stay up to date on rules and regulations and important legislation that that may impact your industry. Many association are attempting to establish standards and best practices that may keep regulators at bay when the industry acts responsibly.
  5. Educate lawmakers and establish relationships to take away the fear of the unknown. Introduce your services and technology to regulators. Describe how you are creating jobs and creating economic value. Visit Washington, but also invite the local, state and federal legislators and regulators to your facilities. You will gain the regulators’ cooperation when they feel part of your community.
  6. Make campaign contributions to gain access to politicians to mitigate legislation that may hinder your operations.
  7. Not surprisingly, Richards’ final bit of advice is this: Hire a good law firm.

Good advice for us all.

How to Manage Facebook and Video Conferencing at Banks

This article was originally published in Forbes.
Financial advisors want to communicate the same way as their clients do, whether by Facebook, text or video. That presents challenges to the compliance departments of financial services firms who are responsible for keeping their firms compliant with various rules and regulations that impact communications to clients.
At a recent event, W. Hardy Callcott, Sidley Austin LLP asked Christopher Fernandes, Hearsay Systems, Robert Innes, Charles Schwab & Co., Inc., Thomas Selman, Financial Industry Regulatory Authority (FINRA), and Nubiaa Shabaka, Morgan Stanley & Co, LLC, the following question: “How can the compliance department support the business yet keep the film compliant?”
Here is a summary of some of the answers.

The Latest Social Media Guidance From FINRA

Social Media and Digital Communications: Regulatory Notice 17-18 is FINRA’s latest regulatory guidance for social media. Among other topics, guidance on native advertising, which is paid content that matches the tone of editorial content, was included for the first time. FINRA is seeing it more and more.
“It’s becoming part of the fabric of all the social media sites,” said Selman. Selman went on to explain that native advertising is permissible if the broker-dealer’s name is prominently displayed, the relationship between the broker-dealer and the entity mentioned is disclosed, and the advertising is fair, balanced and not misleading.
The Notice also clarified how firms should treat hyperlinked content. According to FINRA, when reps or firms hyperlink to specific articles, they have “adopted” that content. That means that firms are now responsible for that content, which means that advertising and supervision rules apply. Although ongoing hyperlinks (where there is no direct control) are not considered to be “adopted,” firms still need to make sure that hyperlinks do not include misleading or fraudulent information.
And finally, FINRA does not consider updates on social media about topics such as charity events or employment opportunities to be “business as such,” so record-keeping and supervisory requirements may not apply. FINRA’s goal is to allow technology to flourish, said Selman. Rather than take a prescriptive approach to social media that might stunt the growth of technology by firms trying to meet specific requirements, FINRA’s principle-based approach has allowed solutions to develop organically.

“Likes” On Facebook

Selman also discussed the regulatory impact of “likes” on Facebook. He explained that if associated persons “like” specific content, and people looking at their Facebook page can see those links and that content, FINRA considers that content to be “adopted” and therefore the firm is responsible for it.
However, if a Facebook page is “liked” in order to simply follow it, that’s the equivalent to a hyperlink over which you have no control (discussed above) and hence the firm hasn’t “adopted” it. Therefore, if firms allow the use of “likes” by their associated persons, there may be a distinction between “liking” specific content and “liking” a page itself.
Interestingly, Selman concluded that “although FINRA has certain principles, the firms often go well beyond our principles for these and other considerations. A lot of times, broker-dealers complain that we’re too tough, when it turns out that it’s their own compliance department.”

Challenges of Using Video Conferencing for Associated Persons

When financial advisors use video conferencing to “meet” with clients, many of the same regulatory issues that pertain to social media apply. These include requirements to archive and supervise business communications and to manage information security and privacy, according to Innes.
Innes explained that advisors and a small, but growing, number of clients like to use video for meetings. However, there are challenges of capturing and archiving native messaging communications within the platforms as well as protecting what clients and advisors share with each other. Specific risks include the inadvertent leaking of firm proprietary or client information when sharing the desktop. He suggested that advisors be trained specifically on how to conduct video meetings with clients. For example, advisors need to learn to spend time before their meetings to line up documents that they wish to share and minimize everything else.
Shabaka agreed. Procedures, ongoing training and attestations that the training is understood, are all important. She said that firms should consider adding disclosures for external parties, limiting the attendees of the meetings, and making sure that advisors are licensed to sell products in the states that they are having conversations. From an information security and privacy perspective, she suggested that firms think through who can see the information that the advisor is sharing. Consider instituting processes to report incidents of unauthorized access to certain personal information via video.
Firms should also evaluate their processes around supervision and monitoring to make sure people are following the policies at the firm. Think through all the details in advance to mitigate risks of leaking data when using video conferencing, concluded Shabake.
From a regulatory perspective, Selman added that FINRA would treat an ongoing video as a public appearance under the rules, which means pre-review of the content is not required. Using Facebook Live as an example, once the video is complete, it appears on the person’s feed and would be treated like an interactive communication, which doesn’t require any kind of pre-approval.
However, the video would require some type of risk-based review to make sure that it meets FINRA’s advertising standards. As a reminder, firms may not use networks where the video immediately disappears or disappears soon after it’s made, if business records can’t be captured, supervised or maintained.
Fernandes concluded the session by reminding firms that when social media and video communications are managed by multiple departments, firms need to make sure there’s synergy across the organization about the rules and responsibilities. As video becomes a larger and more important component of business communications going forward, the rules of conduct are going to become more and more important over time.