GETTING SOCIAL: The Rules
March 22, 2012 4:47 PM
If youre getting serious, heres the regulatory landscape for social media, as of March 2012. This compilation of 11 factors to consider was prepared by Rajib Chanda, a partner at Ropes & Gray, for the Investment Company Institute Mutual Funds Conference. He compares the guidance of the Securities and Exchange Commission for registered investment advisers and the Financial Industry Regulatory Authority for brokers. Then comments on what it means in practice.
Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must retain any electronic communications that relate to its business as such. Broker- dealers must preserve records for a period of not less than three years, the first two in an easily accessible place. The content of the communication is determinative, not the type of device or technology used to send the communication, nor does it depend on whether the communication was sent using a firm-issued or personal device. FINRA does not endorse any particular technology or software necessary to retain such records.
A registered investment adviser (RIA) must retain records of communications that satisfy an advisers recordkeeping obligation under Advisers Act Rule 204-2. A firm that intends to communicate using social media must determine that it can retain all required records related to social media and make them available for inspection. The SEC permits third parties to be retained to manage these recordkeeping responsibilities.
Both agencies have similar recordkeeping responsibilities, other than the differences in scope and retention periods under the respective rules. The use of social media on personal devices presents a real challenge from a record-keeping perspective. Firms should consider using third-party software or developing internal software to maintain records, given the volume of records that can be created. Firms should set a clear policy on whether to maintain records of deleted posts (for instance, third party posts).
Firms are prohibited from posting any untrue or misleading statements, and communications are required to be fair and balanced. In addition, firms may not establish links to third party sites that the firm knows or has reason to know contains false or misleading content.
Advertisements may not contain any untrue statements of material fact or be otherwise false or misleading. The SEC will apply a facts and circumstances test to determine if marketing materials violate this provision.
One might consider whether certain types of communications (e.g., customer service-related responses) are advertising and, if not, whether different standards of review might apply. For global firms, firms will also want to consider the reach of social media communications outside the United States.
If a broker-dealer recommends a security through a social media site, that broker-dealer must ensure that the recommendation is suitable for every investor to whom it is made. As a best practice, firms should consider prohibiting all social media communications that recommend a specific investment product and any link to such recommendation, unless a registered principal has previously approved the content.
A firm may consider the risks that content created by the firm implicates its fiduciary duty or other regulatory issues, such as the suitability requirement. A firm should articulate clear rules with respect to such content and may decide to prohibit specific content entirely. The SEC Alert notes that a majority of RIAs have prohibited the posting of recommendations or information on specific products or services.
Both agencies have taken a similar approach and encouraged firms to prohibit all social media communications that recommend a specific investment product without being certain that the recommendation is suitable for every potential member of the audience. This should be considered particularly carefully when determining whether to permit the use of question and answer social media sites. Firms should exercise caution in using the direct messaging function to provide advice without suitable disclaimers.
Static content posted to social media sites, such as users profiles or blogs, must be pre-approved by a firm principal before it is posted. Real-time communications, such as interactive posts on Twitter and Facebook, are not required to have a registered principal approve these communications prior to use. However, firms still must supervise all of these communications. Interactive content can become static content if it is re-posted to a static area of a website or blog. In these instances, the pre-approval rules for static communications would apply.
A firm may want to consider the appropriateness of pre-approval requirements rather than relying solely on post-use review.
The pre-approval of postings on a social media site is currently only required for broker-dealers and it is only required when broker-dealers share static content. In contrast, the SEC leaves it within the discretion of the RIA to mandate any pre-approval requirements as part of its social media policy, but suggests that all posts might require pre-approval. Practices differ as to whether Facebook status updates, for example, constitute static content or real-time communications.
While all static content requires pre-use approval, interactive electronic content does not require such pre-approval and only must be properly supervised. Firms may adopt procedures that require principal review of all or some interactive electronic communications prior to use and may adopt various methods of post- use review, including sampling and lexicon-based search methodologies.
A firm should consider the frequency with which it monitors a RIAs activity on social media. This determination could depend on the volume and the pace of communications posted on a site or the nature of, and the probability to mislead contained in, the subject matter of a conversation stream. The SEC warns that post-use review may not be reasonable in all circumstances, so RIAs need to be aware of the risks posed by certain posted content to investors and the markets. To monitor social media use, a firm may consider using sampling, spot checking, lexicon-based methodologies or a combination of methods.
FINRA mandates that interactive electronic communication is supervised, but it leaves it within the discretion of the firm to determine what constitutes proper post-use supervision. The SEC leaves open the question of what level of frequency of supervision is required, suggesting that this determination should be based on the risk posed to investors. Whatever procedures are adopted, the firm must properly supervise social media interactions to ensure that such communications do not violate FINRA or SEC rules, respectively. As a general matter, supervision policies should also consider supervision with respect to other securities laws, such as insider trading, private placement exemptions, etc.
Firms must provide employees with the necessary training and background to engage in social media communications on behalf of the firm. Firms must limit such communication to employees who have been properly trained and authorized. Further, these employees must not present undue risks to investors or demonstrate compliance risks. FINRA notes that some firms require each associated person who uses social media on behalf of the firm to certify their compliance with the firms policies on an annual or more frequent basis.
Before using a social media site, a firm should consider the risk exposure due to the reputation of the site, the sites privacy controls, the controls on third party posts, the advertising practices of the site, and how changes in site functionality may alter the firms exposure. Firms should consider implementing training programs specifically for social media compliance and they should consider requiring RIAs and advisory solicitors to certify their understanding of and compliance with a firms social media policies and procedures.
Both agencies strongly encourage firms to properly train employees on social media communications before they are authorized to use it for business purposes and encourage periodic certification of their employees compliance. Training programs for global firms will also need to consider the reach of social media communications outside of the United States. New functionality in approved social media sites may require new training.
Whether a third party post is attributable to the firm depends on whether the firm has (a) involved itself in the preparation of the content (entanglement) or (b) explicitly or implicitly endorsed or approved the content (adoption). Firms may use a prominently displayed disclaimer or lay out rules regarding third party posts to help mitigate the risks, but these will only constitute parts of the facts and circumstances that FINRA would consider in determining if a firm had become entangled with or adopted third party content that violates its rules.
Firms that allow for third party postings on their social media sites may consider having policies and procedures regarding such posts, as well as creating reasonable safeguards to avoid any violation of the federal securities laws that may be caused by these posts.
FINRA has provided much more guidance on this topic than the SEC. While FINRAs notices have laid out principles to follow, the SEC Alert primarily discusses the various ways that firms are currently dealing with third party posts and leaves it within the discretion of the firm to develop appropriate procedures. The SEC Alert is more focused on how RIAs handle testimonials. The entanglement and adoption theories provide a useful framework for RIAs as well. Just because a post is adopted by a firm, or the firm is entangled in it, does not mean that the post must be disallowed. If the content of the third- party post does not violate any rules or regulations, then the firm may choose to adopt a third-party post.
Firms must be familiar with the proficiency of the vendor of the data and its ability to provide data that is accurate as of the time it is presented on the firms website. Firms must constantly monitor the accuracy of these feeds and promptly take measures to correct any inaccurate data.
The SEC has not laid out a similar guideline in its Alert on social media; however, the usual antifraud provisions are still applicable.
While the SEC Alert does not specifically address this topic, it is reasonable to believe that the agency would take an approach similar to FINRA since it would comport with the SECs general antifraud principles.
Not specifically addressed in the FINRA regulatory notices. Under NASD Rule 2210(d)(2)(A), any advertisements containing a testimonial must prominently disclose: (i) that the testimonial may not be representative of the experience of other clients, (ii) the testimonial is no guarantee of future success or performance, and (iii) if more than a nominal sum is paid, that it is a paid testimonial.
Whether a third party statement constitutes a prohibited testimonial depends on all of the facts and circumstances of the statement.
Third party use of certain social media plug-ins, such as the like feature on a RIAs social media site, could be deemed a prohibited testimonial if it is an explicit or implicit statement of a clients experience with a RIA.
Despite the language of the SEC release, it is unlikely that the SEC sought to ban Facebook for RIAs through its observation about the like function. It seems more likely that the agency only prohibits RIAs from soliciting likes. As Facebook users know, the like button is not necessarily an endorsement of a persons product or services; instead, it is simply the functionality required to follow a user on the platform. RIA policies on third party posts will need to consider these issues carefully. Firms should consider having policies regarding the use of recommendations on LinkedIn; while certain recommendations could be seen as testimonials, firms will also need to consider employment law limitations on policies that prohibit the use of this function entirely.
Firms may permit associated persons to use personal devices for business communications, as long as it is clearly stated in the firms social media policy. However, the firm must be able to retain, retrieve and supervise all of these business communications. Some firms require associated persons to respond to business-related messages received on personal devices with a non-substantive response and/or a pre-approved statement that directs the inquiry to other firm-approved media outlets. If a personal device is used for business-related communications, FINRA warns that firms are free to treat all communications made through the personal device as business communications.
Firms should consider whether to adopt policies to address whether an RIA can conduct firm business on personal (i.e. non-business) social media sites. The firms policy should address the types of business communications or content that is permitted on personal social media sites, if any.
The agencies agree that each firm needs to develop a clear policy on whether employees can use personal devices and social media accounts for business- related communications. Both agencies seem to encourage the practice of requiring employees to separate personal devices and accounts from business ones. Not permitting business use on personal devices avoids entangling the firm in employees personal affairs.
Each firm must develop policies that are best designed to ensure that the firm and its personnel comply with all of these requirements. All FINRA guidance should be considered by the firm in the context of its own business and any social media policies should be tailored appropriately. Firms must constantly monitor compliance with their policies and take disciplinary action for violations.
Firms using social media should adopt and periodically review the effectiveness of policies and procedures regarding social media. The SEC encourages firms to adopt specific social media policies, rather than relying on multiple overlapping policies that apply to other types of advertisements generally. These specific policies should be tailored to the specific firm and the specific facts and circumstances. The policies should address which specific social media sites are permissible and whether such sites can also be used by a firms solicitors.
While both agencies strongly recommend that social media policies are tailored specifically to an individual firm, the SEC has taken the additional step of encouraging firms to develop a policy dedicated solely to social media compliance. The SEC has suggested that a firms existing advertising and marketing policies may not accurately and consistently address the unique risks presented by social media communications. Recent employment law decisions suggest that simply banning the use of social media may run afoul of certain employee rights. Care should be taken in drafting policies and procedures, as arguably violations of the policies and procedures that do not otherwise violate the law could be construed as violations of the law under Rule 206(4)-7 of the Investment Advisers Act of 1940.
