Your financial services firm can no longer ignore the looming social media compliance audits. How do you know if you’re prepared? FINRA’s Regulatory Notice 10-06 lays out some extensive (and somewhat lengthy) guidelines, but we’ve shortened them up here for you.
All social media communications sent out from your firm to customers must be retained, as it relates to the business. If your firm utilizes Facebook, Twitter, Blogger, Flickr, etc., to post information to customers and clients, you are required to archive these. Backupify backs up all of these services in one platform, allowing quick and easy archiving and management of your social media accounts, something with which FINRA will be quite happy.
If a broker-dealer communication requires sensitive information to be discussed, you must conduct it over a secure platform so no confidential information is leaked. Some social media sites, such as Twitter and Facebook, have private messaging which allows for secure communications while others do not. Always consider the type of information you are discussing over a highly public social network before continuing the conversation. If it involves private information, carry on the conversation over a secure messaging platform, via email or offline.
Supervising Electronic Communications
FINRA Regulatory Notice 10-06 states, “Communications that recommend specific investment products often present greater challenges for a firm’s compliance program than other communications… They may trigger the FINRA suitability rule [above], thus creating possible substantive liability for the firm or a registered representative.” Due to the sensitive nature of investments and banking, firms today must be very careful with what they discuss online.
Blogs FINRA defines a static company blog as an advertisement for their offerings. If your firm has a blog, you must first obtain approval for each posting. Blogs that are interactive – that is, those that allow comments and replies – is considered a real-time interactive form of communication and does not require prior approval, but needs to be under supervision much like social media communications.
Social Media The same basic rules go for social media. Static content, including bios, profiles and wall information must be approved before posted. Real-time communications (i.e. Tweets) that occur on these platforms don’t need prior approval before posted, but are subject to supervision and regulation.
In order to supervise the real-time communications on social media, firms should adopt regulatory procedures. Regulatory Notice 10-06 explains, “Firms may employ risk-based principles to determine the extent to which the review of incoming, outgoing and internal electronic communications is necessary for the proper supervision of their business.” This means that some types of communications may need prior approval while others will just be reviewed on a case by case basis.
Wondering if employees should be restricted from having a social media profile? FINRA explains “persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors.” Essentially, only employees who have prior approval and training are allowed to create a social media profile and post information publicly. It is a good idea to first consider who in your firm is considered a compliance risk in the past and limit their access to a public social media site.
Regarding posts by customers or third parties on social media sites created by a firm, FINRA does not consider them subject to the same regulations. Thus, prior approval and regulations do not apply. The only two instances where a third-party post would be subject to regulations are: (1) The firm assisted with the content preparation or (2) The firm has explicitly or implicitly endorsed or approved the content.
Is your firm preparing for FINRA audits or have you already been audited? Leave your suggestions below for additional ways to be in compliance with Regulatory Notice 10-06.