Financial Services is one of the most heavily regulated industries. As electronic communications devices and platforms proliferate, message retention and oversight is a top priority for many compliance officers. A recent survey of compliance professionals in the financial services industry identified the following key issues:
Firms are working smarter, not harder to manage the growing compliance burden.
As the types of messages that Financial services firms are required to monitor and store continue to increase, firms are re-evaluating and updating supervision and retention procedures. Key areas of compliance concerns are
New communications channels (e.g. social media, text messaging)
New communications devices (e.g. smartphones and tablets)
Increased scrutiny/enforcement by regulators
Inefficiencies of the supervision process
Mobile devices and communications are emerging as a top concern.
Like many other industries, Financial Services firms are facing the “Bring Your Own Device” (BYOD) challenge: growing use of smartphones and tablets as well as adoption of mobile-specific communications like text messaging. This presents a challenge to conventional compliance practices which has not gone unnoticed by regulators. Last year, FINRA issued Regulatory Notice 11-39, stating that firms are required to retain, retrieve and supervise business communications regardless of whether they are conducted from a work-issued device or a personal device. This presents a challenge to companies that must separate business and personal communications in order to ensure regulatory compliance.
Social Media and other online communication channels present new concerns.
Use of Social Media is on the rise in the Financial Services industry. However, policies and procedures for supervision and retention lag behind the pace of adoption. In terms of the most requested message types during examination! Email was first, followed by Website pages (including
RSS feeds, blogs, wikis) with Bloomberg or Reuters messages and instant messages ( tied for third place.
While regulatory examiners are increasing their oversight and moving from a check-the-box approach to compliance to scrutiny of the messages themselves, financial services firms are getting more savvy about their approach to compliance. In addition, as the opportunities for new types and channels of electronic communications increase, so too are the archiving and supervision technologies allowing firms use of these emerging communication tools with a greater sense of security.
For the past year and a half, I have been traveling to various conferences around the country to speak on Legal and Regulatory compliance in social media. In the beginning, case law and regulatory guidance was scarce and little information was available to provide businesses engaged in social media with a roadmap for Social Media Legal and Regulatory compliance. However, a lot has changed over the last year and a clear trend is emerging. Industry regulators are aware of the use – and abuse – of social media by their members. This article examines recent guidance provided by the Federal Trade Commission (FTC), the Food & Drug Administration (FDA), the National Labor Relations Board (NLRB), the Financial Industry Regulatory Authority (FINRA) and the Securities Exchange Commission (SEC).
The settlement, first announced in June 2010, resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. Lapses in the Twitter’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account. Under the terms of the settlement, Twitter has hit ended and ongoing obligations concerning consumers and the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.
In a similar action, the FTC settled and investigation into Facebook,the leading social media platform/service. The social networking service agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.
As recently as January 10, 2012, the FTC reached a settlement with UPromise, Inc., stemming from charges that the company – a membership reward service – allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. The FTC found that the toolbar was collecting the names of all websites visited by its users as well as information entered into web pages by those users, including user names, passwords, credit card numbers, social security numbers and other financial and/or sensitive data. Furthermore, this data was transmitted in unencrypted, clear text that could be intercepted or viewed by third parties in a WiFi environment. The result? UPromise had to destroy all data it collected under the “Personalized Offers” feature of its “TurboSaver” toolbar in addition to other obligations related to data collection practices and consent to collection of personal information.
Other Industry Guidance.
In October 2009, the Federal Trade Commission released it’s updated “FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising.” The updated Guides contain two notable areas of concern for marketers. First, the Guides removed the safe harbor for advertisements featuring a consumer’s experience with a product or service, the so-called “results not typical” disclosure. Second, the FTC Guides underscored the longstanding principle of disclosing “material connections” between advertisers and the consumers, experts, organizations, and celebrities providing reviews and endorsements of products and services.
For concise guidance on when, how and what to disclose, see my article here.
Social Media in the Healthcare & Pharmaceutical Industries.
Like other consumer-oriented industries, Pharmaceutical and Biotech firms are rapidly expanding their presence online. This growth over the past several years has not gone unnoticed as evidenced by FDA Warning Letters targeting marketing campaigns “broadcast” via websites and social media platforms. The FDA also provides more general guidance for the industry. Policy and guidance development for promotion of FDA-regulated medical products using the Internet and social media tools are available in the FDA’s Consumer-Directed Broadcast Advertisements Questions and Answers. While this document provides clear direction for traditional media broadcasting , it only skims the surface regarding web content.
Social Media in the Workplace.
Probably no other federal agency has been as active as the NLRB in recent months. The NLRB has a mandate to protect employees rights to organize and discuss working conditions without fear of reprisals from employers. On August 8, 2011, the Associate General Counsel for the NLRB released a memo entitled “Report of the Acting General Counsel Concerning Social Media Cases.The report began by analyzing a case of first impression: whether an Employer unlawfully discharged five employees who had posted comments on Facebook relating to allegations of poor job performance previously expressed by one of their coworkers.
On January 25, 2012, the NLRB released a second report describing social media cases handled by the NLRB. The “Operations Management Memo” available here, covers 14 cases, half of which involve questions about employer social media policies. Five of those policies were found to be unlawfully broad, one was lawful, and one was found to be lawful after it was revised.
The remaining cases involved discharges of employees after they posted comments to Facebook. Several discharges were found to be unlawful because they flowed from unlawful policies. But in one case, the discharge was upheld despite an unlawful policy because the employee’s posting was not work-related. The report underscores two main points made in an earlier compilation of cases: 1) policies should not sweep so broadly that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees; and 2) an employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.
Social Media and the Financial Services Industry.
From the Madoff scandal, to the Occupy Wall Street Movement, to Mitt Romney’s tax returns, the financial services sector is accustomed to the scrutiny and ire of the public and government regulators. Therefore it is no surprise that on January 4, 2012, the SEC’s Office of Compliance Inspections and Examinations, in coordination with other SEC staff, including in the Division of Enforcement’s Asset Management Unit and the Division of Investment Management, issued its “Investment Adviser Use of Social Media” paper. The paper begins by observing that although “many firms have policies and procedures within their compliance programs” governing use of social media” there is wide “variation in the form and substance of the policies and procedures.” The staff noted that many firms have multiple overlapping procedures that apply to advertisements, client communications or electronic communications generally, which may or may not specifically include social media use. Such lack of specificity may cause confusion as to what procedures or standards apply to social media use.
The SEC paper suggests that the following factors are relevant to determining the effectiveness of a Social Media compliance program:
Frequency of Monitoring
Approval of Content
Criteria for Approving Participation
Functionality of web sites and updates thereto
Enterprise-wide web site content cross collateralization
Similarly, the Financial Industry Regulatory Authority (FINRA) has issued guidance for secutires brokerage firms. According to its web site, FINRA “is the largest independent regulator for all securities firms doing business in the United States.” FINRA protects American investors by ensuring fairness and honesty in the securities industry. In January 2010, FINRA issued Regulatory Notice 10-06, providing guidance on the application of FINRA rules governing communications with the public to social media sites and reminding firms of the recordkeeping, suitability, supervision and content requirements for such communications. Since its publication, firms have raised additional questions regarding the application of the rules. Key take aways from FINRA’s guidance include the flowing:
Brokerages have supervisory and record keeping obligations based on the content of the communications – whether it is business related – and not the media
Broker-dealers must track and supervise messages that deal with business
Firms must have systems in place to supervise and retain interactions with customers, if they are made through personal mobile devices
A broker must get approval from the firm if she mentions her employer on a social media site
Pre-approval for instant messages, also known as “unscripted interactions’ in legalese, is not necessary as long as supervisors are informed after the fact
Many professionals in regulated industries are eager to leverage social media to market and communicate with existing and prospective clients and to increase their visibility. However, participants must ensure compliance with all of the regulatory requirements and awareness of the risks associated with using various forms of social media. Hopefully, the guidance outlined above can serve as a good starting point for discussions about how best to use of social media as well as suggestions regarding factors that firms may wish to consider is helpful to firms in strengthening their compliance and risk management programs. We invite you to contact us with comments and requests about how we can help you educate your employees, prevent fraud, monitor risk, and promote compliance. We can be reached at lsglegal.com, 866-734-256, @adlerlaw and email@example.com.