This week, Proofpoint attended the 2014 FINRA Annual Conference. As always, the conference was jam-packed with sessions, exhibitors and compliance / legal folks from the Financial Services industry. This year, it was particularly busy, as the conference had its highest number of attendees ever!
While at the conference, we had the opportunity to sit in on many of the information sessions as well as the opportunity to interact with many of the brightest minds in the industry. With our schedule tightly packed and so much new information to process, it’s often important to jot down important takeaways on paper before they’re forgotten, and that’s what we’ve done for you here.
In this two part series, we’ll focus on the top social media compliance takeaways from the 2014 FINRA Annual Conference. The first few are below.
Social media compliance is definitely top-of-mind
The topic of social media compliance seemed to pop up in the majority of information sessions - even in sessions that did not explicitly focus on that topic. This is evidence that it’s clear regulated firms are very interested in leveraging the power of social media to market, sell and to provide support to their customers, but, of course and rightfully so, they’re worried about noncompliance. As a result, they seek guidance from FINRA. After all, there are an increasing number of examples whereby firms, their principals and their registered reps have been fined for lack of social media compliance and folks simply do not want to get want to make the next headline in this area.
So FINRA made it a point to thoroughly discuss all matters related to social media compliance and even went so far as to give examples of how real firms have been able to maintain regulatory compliance while using social media. AXA, Vanguard, LPL and Commonwealth were among the few firms kind enough to share their stories with us. We’ll highlight some common social media use cases in Part II.
Archive everything, including social media
All forms of electronic business communications must be archived, but don’t take my word for it. FINRA said exactly that in one of the information sessions. So, while you’re most likely already archiving email for long-term retention, eDiscovery and supervision (you are, right?), you’d be better prepared to respond to FINRA examinations if you, in addition to email, archive every form of electronic business communication that’s bouncing around at your firm. That’s right everything.
This means that you need to archive business communications from mobile (txt, sms), public social (Linkedin, Facebook, Twitter), enterprise social (Chatter, Yammer) and blogs, to name a few. Ideally, content from these sources should seamlessly integrate into your information archive so that you can employ eDiscovery and Supervision tools that make it easy to respond to a FINRA examination, should one arise.
Employee privacy vs. social media compliance
The need to archive everything brings us to the next point, what if you can’t?
I should clarify, by “can’t,” I don’t mean that it’s not technically possible to capture social media, because it certainly is possible (solutions exist that enable the capture of social media content). Rather, the problem is that it could be illegal to capture employee generated social media content.
Dissecting employee privacy law in exhaustive detail is outside of the scope of this blog post, but, generally speaking, employee privacy law is determined at the state level and states have different statutes in place. 14 states, Arkansas, for example, indicate that an employer cannot request the credentials of employee’s “personal" social media accounts for any reason (requesting credentials is sometimes necessary to supervise and archive employee social media activity). So, you should check with your legal council before requesting such information from employees.
Unfortunately, such statutes are in direct conflict with what FINRA requires: archive all forms of electronic business communications.
But don’t fret, FINRA understands that this is a current problem in some states and has provided the following guidance, plus it’s also working to remediate the situation:
- Semi-annual attestations - if you can’t archive and monitor employee social media content, them have them attest to the fact that they are not using their personal social media accounts for employer-related business communications. Have them do this at least semi-annually.
- Follow-up on red flags immediately - Even with semi-annual attestations, you may learn of instances when employees are in fact using social media for business communications. You should investigate such matters immediately.
- FINRA, the lobbyist - FINRA did indicate that it is “aggressively lobbying” states with “much success” to remediate the conflict between FINRA rules and employee privacy. Most likely the results of FINRA’s lobbying effort will come in the form of carve outs within the state statutes that enable only regulated firms to request access to employee social media accounts, thereby satisfying FINRA rules while not violating laws at the state level. One such example is Maryland, which has a carve-out for “self regulatory companies” and explicitly references FINRA and NASD.
In summary, there was a lot of buzz about social media compliance at the 2014 FINRA Annual Conference. In this first post in the blog series, we’ve highlighted that social media compliance was top-of-mind at this year’s conference, discussed the need to archive everything and examined the conflict between employee privacy and the need to comply. We’ll follow up with Part II of this blog series, shortly.