As more financial firms use social media to reach and engage with customers, regulators including the SEC and FINRA still require that they preserve social media posts and communications. But many still lack robust processes for social media compliance, with fines for violations still handed out by FINRA and the SEC.
In our latest webinar, The Compliance Officer's Guide to Social Media Archiving & Supervision, myself and our VP of Compliance Supervision, Don McElligott explored social media use by broker-dealers and investment advisers, and some of the pitfalls. We also shared some best practices for ensuring compliance across the organisation when it comes to recordkeeping and supervision requirements for more dynamic platforms.
Social media was also the focus of a dedicated panel session at the FINRA’s recent Annual Conference, and where John Sazegar of FINRA Member Services made it clear to delegates that social media content is high on its radar when it comes to investigations.
SEC and FINRA rules on retention and supervision
Social media sits squarely within the requirements of Rules 17a-3 and 17a-4 imposed by the SEC, mandating the preservation and retention of all electronic correspondence under the Securities Exchange Act of 1934.
SEC regulations require broker-dealers to take steps including but not limited to;
- Storing electronic records in a non-rewritable, non-erasable format (WORM format)
- Storing original and duplicate copies of records in separate locations
- Ensuring auditing system in place for all electronic records and that results are available for examination on request by the regulator
FINRA Rule 2210 requires communications with investors be fair, balanced and not misleading, this also applies to social media. Within such a dynamic medium, recordkeeping practises must keep pace with any changes that social platforms make that could, unknown to them, negatively impact their compliance.
Violations and enforcements
The potential cost of a social media violation is not to be underestimated. Our webinar drew on examples of FINRA settlements from $20K through to $2.5M. Each involved – but was not limited to – a failure to properly preserve or supervise firm social media or to retain records in the required format. Failure to approve and supervise the accounts and posts of the firm’s FA’s, as also governed by FINRA regulations, was another common violation trigger. The most severe case comprised multiple failures to retain key communications across email and social media over a three-year period.
The GameStop effect
The role of social media in influencing markets was another key talking point at the above-mentioned FINRA panel. When the stock price of GameStop surged in January, it followed what John Sazegar referred to as “a high volume of bullish sentiment [online and through social media]”. While investigations into GameStop are ongoing, the example was used to highlight how FINRA’s Fraud Surveillance Team approach investigations where the content of social posts, or indeed the timing as aligned with (in this instance) subsequent trading activity, would be probed.
Clearly sufficient retention of social media records for the firm and any ‘associated persons’, (i.e..in the desired formats, for the required period and that are sufficiently indexed and examinable) should the regulator ever come knocking is a ‘must have’ - with penalties meted out for those that breach the rules. As John Sazegar said himself. “It’s not just about records managing…We’re always on the lookout for social posts by FINRA-registered representatives…” highlighting the accountability at firm and employee level.
Social Media Compliance: Five Ways to Prepare
So faced with this ‘Wild West’ of social media what key steps do broker-dealers and advisers need to take to protect themselves when levering social media for investor engagement, and what should they be looking for from a compliance solution? Here are some take-aways from our webinar.
- Know Your Vendor
When it comes to technology that helps you meet compliance rules not all solutions are equal. There’s more to managing social media in a truly compliant way to meet 17a-3 and 17a-4 requirements than pure capture; including WORM compliant storage, third party download designation and traceability aspects for audit. Does your vendor cater for these obligations? Also, how do they capture the data? Is it through a programme interface (API) that’s endorsed by the social platform and captured appropriately? Or does it ‘scrape’ data from the web or use third parties to ‘intercept’ data via the user? In certain scenarios, a user may be able to avoid aspects of data capture, so the rigor of your compliance approach will be informed in part by the answers to these questions.
- Ensure teams co-operate and are trained
In the ever-changing world of social media, understanding what you can and can’t capture at any given time is key. If LinkedIn makes changes to its API or adds a new feature or plug-in, compliance won’t be their default concern. Your vendor should prepare you for any such changes and what it means for what you can and can’t archive sooner than later, so that you in turn can educate those authorized to access social media for your organization about any limitations. Often those people will need to take physical steps to maintain compliance – such as authenticating on your behalf so this really is a vital stage. Teams who are regularly trained in social media policy, are informed how any changes affect their responsibilities, and then take the necessary actions, leave firms less exposed by compliance gaps.
- Perform regular lexicon reviews
Different platforms play host to different language and communication styles. What someone says in an email may differ from what they would tweet or post on LinkedIn. Lexicons need to cater to the nuances of social engagement and keep pace with the change while facilitating all-important supervision should remedial action need to be taken.
Most vendors have a set of policies or keywords that will address certain (financial) issues, but given the dynamic nature and reach of social media, lexicons should be revisited every six months to keep abreast of changes and check your review approach is fit for purpose. Here is where your archiving vendor can help you adapt policies as needed.
- Capture feedback
The best review tools provide a mechanism for front line content reviewers to provide feedback so that lexicons can be adapted accordingly. How do you capture feedback directly from them and update and refine your lexicon so you will be better placed to react, rather than waiting to see it in your policy review queue?
- Create dedicated policies for Social Media
In the early days of email and policy reviews firms would balance lexicons with random sampling, but the volume of email today makes that impossible. Fortunately, lexicon accuracy has almost eliminated this need and it’s far easier to find relevant content.
When it comes to The Wild West of social media however, where there’s more happening than you can keep up with, it’s worth taking time to create dedicated policies. Even with a strong ‘random sample’ you can gauge what’s out there to help inform your policy approach and the kind of lexicons you might need going forward.
The Global Relay Archive helps your organization harness the power of social media, for marketing, networking, and 1:1 communication with customers while complying with SEC, FINRA®, IIROC, MiFID II, GDPR, and other data retention and supervision rules.
To find out more contact us to speak to a specialist.