IA brief: State laws may require firms to re-think social media policies

Federal and state privacy legislation aiming to protect against employer access to private social media websites may put Broker-Dealers and Investment Advisers in a bind -- unable to fully supervise certain social-media and electronic communications used by their representatives.

Financial services firms have been carefully embracing social media over the last few years. Firms have shaped policies and procedures with a balance between the needs and wants of their representatives while still making it possible to supervise and ensure compliance with regulatory regulations and guidance.

Some adopted and proposed state legislation on social media conflicts with that delicate balance, even preventing firms from fulfilling current regulatory obligations. The legislation may require a firm to modify its policies and procedures in areas including: types of sites allowed, frequency and content of attestations or certifications of adherence to the firm policies, surveillance techniques and the amount of staff or time allotted to social-media supervision.

The Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have published recent notices that include defining the types of social media postings, general supervision guidelines and specific electronic record-keeping requirements. The SEC and FINRA have laid out general regulatory guidance but left most of the specifics to the firms and their compliance departments.

Under federal and FINRA guidance, a firm that allows any type of business-related social media is required to supervise the business communications, offer training for those individuals and fulfill certain record-keeping requirements. The regulators have been in concert with their message, if a firm believes that they cannot effectively capture social media communications, they shouldn’t allow it.

At the state level, Maryland, Illinois and California have already passed social-media legislation. Other states including Delaware, Massachusetts, Minnesota and New York are considering similar social media privacy bills. For example, in Maryland, employers are prohibited from requesting or requiring information such as the username or password to access an employee’s or applicant’s personal social media accounts, such as on Facebook and Twitter. The legislation does have a slight carve-out, permitting an investigation for ensuring compliance with applicable securities requirements, although the firm must first have information indicating a potential wrongdoing.

Some firms use online monitoring systems that require a representative’s social media credentials, so firm's can retain the business communications and supervise. Few if any firms are believed to allow representatives to use personal social media outlets for business said Paul Cox, CEO of Business Compliance Partners, a San Diego-based compliance consulting firm. For those who do, the practice will be eliminated as a result of the many state laws.

Exceptions to the MD law allowing access to personal accounts based on indications of wrongdoing nonetheless sharply restricts routine monitoring, contrary to the principles of continuous supervision required at broker-dealers or investment advisers. Firms will have to rely on a representative’s word or written attestation and public information from social media sites to ensure that someone is not using a personal site for business use, violating firm polices and ultimately misleading the investing public.

Possible consequences or changes

Social media use will grow at a rapid pace, but the state laws may make firms re-think their current social media programs and even limit them further in some cases. Possible consequences or changes to consider may include:

• A shift to more corporate social media sites. This is especially apparent with social media sites with privacy settings, such as Facebook. "The progressive firms will build company websites and have their associates link to their corporate sites so that they can integrate their marketing efforts," Cox said. This would be, he said, “likely to deter the temptation to use a personal account for business purposes.”
• Limits or bans on the use of social media sites that have private content. For example, firms may modify their procedures to only allow sites like LinkedIn or Twitter that have a more open architecture.
• Require more-specific personal-use policies, including a ban on business content on a personal social media site. A firm may also have to be specific on what social media sites it does not allow for any type of business communications.
• More frequent attestations or certifications of policy adherence at firms that bar business communications on personal sites or certain social media sites. Increased training may also be necessary.
• Reviewing in routine supervision of public information on social media, gathered through an online retention tool or manually. This may require more staff and time.
• Firms may try to have representatives agree to a “friend” relationship, or to follow a specific individual at the firm to enable ongoing supervision. This type of fix may contradict the spirit of the new laws and may be challenged by a representative.
• Firms may also have to resort to reviewing an individual’s personal social media sites “over-the-shoulder” to ensure compliance, resulting in additional time and resources.

The wave of state legislation on this issue will most likely continue and federal legislation has been proposed. The brokerage and adviser community along with FINRA will continue to make their point heard - industry groups had proposed a broker exception for the California law. In other words, it’s time to consider the options to ensure compliance on all points.

The California and Maryland laws can be found here and here. A copy of the proposed federal legislation can be found here.