Part 2: Key Social Media Compliance Takeaways from 2014 FINRA Annual Conference

June 03, 2014

[This is Part II of a two part blog series on the 2014 FINRA Annual Conference]

A few weeks back, Proofpoint attended the 2014 FINRA Annual Conference and we summarized some key takeaways in the blog post here.

As promised, we're following up to that post with a second installment in this series. In this post, we'll explore the various stages of social media adoption through which a regulated organization pass during their quest to achieve full social media adoption. As folks struggle with ironing out the best ways to leverage social media, these stages will be helpful in both identifying your current state and determining how to advance to the next stage.

Let's start by defining what we call the Social Media Adoption Lifecycle. The lifecycle is broken down into 3 distinct groups, as follows:

Crawl - Crawl is step 1 in that you're unsure how to best employ social media at your firm. An example of Crawl state is that you block access to social for most of your employees because of concern over the impact on compliance obligations. You might operate in a "read-only" mode; perhaps having a handful of employees monitor social media websites for information pertaining to your brand or to view customer complaints. But, at this stage, posting content to social media sites usually does not occur.

Walk - Walk defines step 2 in that you've yet to fully leverage all of the benefits that social has to offer. Perhaps you have a branded, marketing-owned social media page on each of the major sites. These pages are most likely controlled by a handful of employees, blocking access for the remainder of the firm, with any changes to content posts being manually reviewed by compliance prior to submission. After submission, you may be satisfying requirements to archive social content by taking screenshots of content directly from the social media websites, pasting the screenshots into an email and sending the email off to your archive for long-term retention and eDiscovery. Not the most efficient solution, but, hey, you've got to start somewhere.

Run - With Run, you've fully embraced social media at your firm, no longer blocking access for all employees, and you've deployed social use cases for sales, marketing, customer support and others. You've put in place an automated means through which pre-approved, "static" content can be stored and subsequently drawn from. For "interactive" content, you may have a means to supervise / pre-review employee generated posts before they reach their final destination. And most importantly, you have an automated means by which to archive and retain an immutable copy of all posted social media content and related comments- including third party comments.

So how to best get from crawl to run? Start by defining the business use cases for social media at your firm, describe how each use case will be employed and ensure that you build compliance controls and acceptable use policy around those use cases before putting them into practice. Involve your compliance team from the start - the last thing you'd want to do is have your compliance group find out about your social media non-compliance after the fact.

To help you along, below is a cheat sheet containing items extracted from FINRA's annual conference. All of the topics listed below arose in one or more of the conference's social media sessions and they answer common questions that regulated organizations often have regarding compliant social media use.

  • Supervision on social media is important, but...
    • Pre-review vs. Post-review: Interactive content need not be pre-reviewed
    • Pre-approval: Static content must be pre-approved
    • Supervision is not one-size-fits-all. You may want a "mix" of the above based on functional group
  • Archiving is an absolute must
    • This includes any form of electronic business communication (email, social, IM, etc.)
    • Be prepared to produce content during FINRA spot checks
  • Privacy: employer access to employee social media accounts still an issue
    • Controlled via statutes at the State level; FINRA is successfully lobbying for carve-outs for regulated firms
    • Until then, have employees sign semi-annual letters of attestation stating that they are not using personal social media accounts for business purposes
  • Prospectuses and tombstones can be sent via a limited space communication channel, like Twitter
  • Hyperlinks issue: are you responsible for 3rd party content behind hyperlinks that you've shared on social media?
    • Use disclosures on social media pages that indicates that your firm is not responsible for 3rd party content
  • You are not responsible for shares and retweets of your content by 3rd parties
  • Be wary of any social media features that can be interpreted as a recommendation or an endorsement
    • But, the "like" button is not an endorsement, so long as the "like" is not in relation to performance

In summary, there were many key social media compliance takeaways from this year's FINRA Annual Conference. Whether you're crawling, walking or running, be sure to take note of the above points when crafting your overall social media use and compliance strategy. As always, it's better to be well informed and compliant, than not.