November 30, 2011

KEEPING CURRENT: Social Media: Retaining and Supervising Social Media Communications under New FINRA Regulatory Notice 11-39

Philip J. Favro

Is your organization among those that have jumped with both feet into the world of social media?

Survey results confirm that social media use is on the rise for almost all organizations across the globe. This is particularly the case in the financial services industry. A recent survey conducted by Cerulli Associates confirms that nearly two-thirds of all asset managers are actively using social media for marketing purposes.

Despite its increasing popularity, the securities industry is experiencing growing pains with social media. Just like other industries, financial services providers are struggling with applying notions of information governance to these non-traditional forms of communication. Indeed, with social media becoming an increasingly important data source for both business and legal purposes, it behooves enterprises to develop a governance strategy with respect to this information. That is particularly the case with respect to retaining and supervising communications made through social networking sites.

The Challenges for Financial Services Companies

Many financial services companies are experiencing difficulty retaining or supervising social media communications as required by the Financial Industry Regulatory Authority (FINRA). FINRA—the largest private regulator of the U.S. securities industry—promulgated a landmark regulation last year to protect investors from false or misleading claims made on social networking sites. To comply with this regulation, securities firms will have to develop protocols that enable them to retain and supervise social media content and ensure conformity by their representatives.

It is no secret that social media communications continue to bedevil financial services providers. Indeed, 63 percent of surveyed asset managers reported that "regulatory record keeping" remains their greatest challenge with respect to social media. And as more firms move toward social media marketing, the number of financial services companies experiencing difficulty with retention is also likely to increase.

The challenges firms are experiencing with social media are not limited to retention. They also include the need to properly supervise communications their employees made through social networking sites. This was acknowledged by FINRA chairman and chief executive Richard Ketchum at an industry event this past June. Among other social media issues, Ketchum explained that firms have questioned how they can most effectively supervise their employees' use of smart phones and tablet computers that can access company sites.

Clarifications Regarding Retention and Supervision

In response to these matters, FINRA issued Regulatory Notice 11-39 in August 2011 to help clarify several lingering questions regarding retention and supervision of social media content. The key points that financial services companies will want to know from this regulatory notice are as follows.

Content vs. Device

The content of a communication with an investor through a social networking site determines whether or not the communication should be retained. It does not matter that the communication was made from a desktop, laptop, or smartphone. If the communication relates to the "business as such" of the firm, it falls within the preservation scope of section 17a-4(b)(4) of the Securities Exchange Act of 1934 (SEA).

Employee Use of Personal Devices

Firms may allow their employees to communicate with investors from their personal devices such as smartphones and tablet computers; they are not limited to using work-issued devices. This, however, does not obviate the requirement that such communications should be preserved. As the notice makes clear: "The firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person." To ensure those communications are preserved, firms should use an "application" to ingest communications from employees' personal devices into its retention files.

Technology that Eliminates Content

Certain devices and social media sites can be programmed to automatically delete communications. Because such a feature would potentially circumvent document retention obligations under SEA Rule 17a-4, financial services companies and their employees are forbidden from using sites or devices equipped with that technology.

Third-Party Posts

There is generally no obligation to keep third-party posts to firm-hosted social media sites unless the firm "adopts" or becomes "entangled" with the content of those third-party posts.

Best Practices

Given the complexity of these issues, regulated enterprises need to implement best practices to ensure compliance with pertinent SEA and FINRA requirements. While there are perhaps many steps that could be taken, three stand out as indispensable for firms.

The first is that companies should develop a global plan for how they will engage in social media marketing. This initial step is particularly important for groups that are just now exploring the use of social media to communicate with investors. Having a plan in place that maps out investor contact and communication strategy, provides required supervision of firm representatives, and accounts for compliance with regulatory requirements is essential for securities firms. Failing to take these steps could result in fines, suspensions, or worse.

The next step involves educating and training employees regarding the firm's social media plan. In FINRA 11-39, firms were repeatedly urged to train and educate their employees regarding applicable social media policies. This should include instruction regarding what content may be posted to social networking sites and the internal process for doing so. Policies that describe the consequences for deviating from the firm's social media plan should also be clearly delineated. Those policies could detail the legal repercussions for both the employee and the firm for any social media missteps.

Third, firms can employ technology to ensure compliance with their social media plan. Indeed, FINRA 10-06 specifically emphasizes the importance of deploying technological systems to facilitate conformity with the regulation's "Recordkeeping Responsibilities" requirement. Those systems include archiving software and other technology tools. With the right tools in place, firms can perform a cost-effective supervisory review of content to help ensure compliance with corporate policy and regulatory bodies. Moreover, an effective system will implement legal holds and efficiently retrieve archived social media content in response to regulatory and legal requests. All of which enables a company to establish the reasonableness of its retention and e-Discovery processes and demonstrate compliance with relevant SEA and FINRA requirements.

By following these steps and other best practices, financial services companies can begin to reasonably address the challenges of social media. And knowing that those challenges are being dealt with in an effective manner will enable firms to confidently engage in social media marketing and reap the financial benefits of doing so.

Philip J. Favro

Attorney, Symantec Corporation

Favro is a discovery attorney at Symantec Corporation in Mountain View, California.