The Law and Business of Social Media
January 06, 2012 - Securities Law

Updated FINRA Guidance on Social Media Websites and the Use of Personal Devices

On August 18, 2011, the Financial Industry Regulatory Authority, Inc. (“FINRA”) issued Regulatory Notice 11-39 providing guidance to broker-dealer members on social networking websites and business communications.  The notice represents FINRA’s first update to its guidance on social media since the release of Regulatory Notice 10-06 in January 2010. Regulatory Notice 11-39 merely clarifies existing guidance; accordingly, it is not likely to result in major changes to current social media policies of member firms.

Background.  To understand the guidance, it is important first to understand the difference between static and interactive electronic communications.  In 2003, NASD Rule 2210 (on communications) was amended to include participation in an interactive electronic forum in the definition of “public appearance.”  Since then, FINRA rules do not require prior approval of postings by member firms or their associated persons on interactive electronic forums.  In contrast, static communications or postings are regulated as “advertisements” under FINRA rules and, accordingly, are required to be reviewed by a registered principal.  Member firms and their associated persons must distinguish between static and interactive electronic communications.

Recordkeeping.  Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110 have long required that a broker-dealer retain electronic communications made by the firm and associated persons that relate to the firm’s business (i.e., business communications).  The posting of content on a website by a member firm or its associated persons is a communication under the FINRA rules and, accordingly, is subject to applicable FINRA recordkeeping rules.  According to FINRA, the determination of whether an electronic communication is related to a firm’s business and subject to recordkeeping, is a facts and circumstances assessment.  Neither the type of device or technology used to transmit the communication nor the ownership of the device is relevant. Finally, with respect to recordkeeping rules, the requirements are the same for both static and interactive electronic communications.

Analyzing a communication is therefore inherently subjective.  FINRA notes that autobiographical information, such as location of employment and job responsibilities, might not be a business communication when included in a resume sent to a potential employer.  However, listing products and services provided by a firm would constitute a business communication.  Compliance departments must develop policies and procedures to help guide their personnel through the subjective nature of these determinations rather than leaving it to the discretion of individual associated persons or deciding on a case-by-case basis.

FINRA cautions member firms that neither they nor their associated persons may sponsor media sites or use communication devices that automatically erase or delete content.  The automatic deletion of content precludes compliance with the recordkeeping requirements.  FINRA also cautions that, although third-party posts are generally not attributed to a firm or an associated person, the recordkeeping rules require retention of communications received by a firm or an associated person relating to its business and, thus, third-party posts may be subject to recordkeeping obligations.  Firms need to make sure that their associated persons that maintain social media sites do not use the sites for business purposes, and that such associated persons have adequate training and education regarding third-party posts, FINRA rules and firm policies. If the particular social media sites have the relevant compatibility, firms should consider requiring that associated persons include static legends on their media sites warning readers that neither the applicable member firm nor the associated person is responsible for third-party content.

Supervision.  NASD Rule 3010 provides that member firms must establish and maintain a system to supervise the activities of each registered representative, registered principal and other associated person, and that the system must be reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.  If an associated person wants to use a social media site for business purposes, FINRA rules require that a registered principal should review the site prior to its use, to the extent that the content is static.  A site should only be approved for use for business purposes if the registered principal has determined that the associated person can and will comply with all applicable FINRA communication rules, federal securities laws and individual firm policies.

FINRA notes that a registered principal must review an associated person’s proposed social media site in the form in which it will be launched and notes that some firms require review by a registered principal of the associated person’s initial posting on an interactive forum within the site.  Postings on an interactive forum generally do not require prior approval under FINRA rules but, according to FINRA, review of the initial post allows the registered principal to review the site in its final design.  Member firms should continue to supervise the site, from time to time, for compliance with applicable rules and federal securities laws after launch.

FINRA explained that interactive content may become static through different acts and that such a change in format would change the treatment of such communications under the rules (for example by taking a “comment” on a Facebook post and copying it as a static Facebook “status update”).  FINRA also cautioned firms that, as with any other advertisement under FINRA rules, a registered principal must review material changes to previously approved static posts.  Associated persons will need to monitor their sites and registered principals must supervise appropriately to ensure continued compliance.

FINRA also cautions that a firm must follow up on “red flags” that indicate noncompliance by its associated persons.  FINRA explained that some firms require that associated persons certify annually, or more frequently, that they are in compliance with supervision rules.  It also explained that some firms perform random spot checks of websites to monitor firm policy compliance.

Third-Party Links, Third-Party Posts, and Websites.  FINRA explains that a firm may not establish links to third-party sites that the firm knows, or has reason to know, contain false or misleading content, and should not do so when there are red flags to that effect.  Further, FINRA advises that under applicable communication rules, a firm may become responsible for content on third-party sites if the firm has adopted or becomes entangled with the content on the third-party sites.  A firm may be deemed to be entangled with a third-party site if, for example, the firm participates in the development of content on the third-party site.  Also, a firm may be deemed to adopt third-party content if it indicates on its site that it endorses the content on the third-party site.  Many social media sites allow third parties to “recommend” a person and allow users to request recommendations.  Member firms should consider prohibiting associated persons from soliciting recommendations.  Otherwise, the firm may be deemed to have “adopted” the third-party recommendation.

Firms should consider making sure that links to third-party sites are only accessible through a new window, and that a legend appears on the screen warning the reader that he or she is leaving the firm site and disclaiming any responsibility for third-party content.  It is unlikely that such legends will shield a member firm from sanction by FINRA, if applicable, but posting such legends may be effective for limiting liability relating to customer claims.  Firms should make sure that their policies relating to social media sites address links to third-party sites.

In addition to adoption and entanglement, if a member firm cobrands a third-party site, it will effectively adopt the content of the entire site.  A member firm may co-brand a site by, among other things, placing the firm’s logo prominently on the site.

FINRA explains that an associated person may respond to business-related posts by a third-party on the associated person’s personal social media site as long as the associated person’s firm does not have a policy prohibiting the use of personal social media sites for business purposes.  This principle applies to all business-related, but not personal, posts.  For example, the associated person may respond to questions regarding securities through his or her site unless prohibited by the applicable member firm.  FINRA notes that some firms allow their associated persons to post a non-substantive response to a third-party post and allow pre-approved statements that associated persons may use as a response that direct the third-party to a firm-approved communications medium, such as the firm’s e-mail system.

FINRA also provides some comfort for firms that have a policy of deleting inappropriate third-party content.  A firm that has a policy of routinely blocking or deleting certain types of content will not be deemed to have adopted similar content that was neither blocked nor deleted.

Data Feeds.  FINRA cautions that firms must manage data feeds inputted into their websites.  As data feeds may contain inaccurate data, firms must be familiar with the proficiency of the vendor providing the data and its ability to provide accurate data.  Managing data feeds involves understanding the criteria used by vendors in collecting or calculating the data, regularly reviewing the data for red flags and promptly taking necessary measures to correct any inaccurate data.

Accessing through Personal Devices.  FINRA explains that firms may permit their associated persons to use personal devices to access firm business applications and to perform firm business activity.  However, FINRA cautions that a firm must be able to retain, retrieve and supervise business communications regardless of the ownership of the device.  According to FINRA, it is a good idea for a firm to require that, if possible, separate applications on a device be used for business communications to facilitate retrieval of the business communications without retrieving personal communications.  FINRA also notes that an application that provides a secure portal into a firm’s communications system is preferable, especially if confidential customer information is shared.  If a firm has the ability to separate business and personal communications on a device, and has adequate policies and procedures regarding usage, the firm will not be required to (but may voluntarily) supervise personal communications on the device.

Conclusion.  Regulatory Notice 11-39 reaffirms FINRA’s general expectations of member firms with respect to business communications.  FINRA stressed repeatedly that member firms must have policies and procedures in place that cover the firms’ compliance efforts with the communication rules, and that the policies and procedures must include training and education.  Of course, the firms’ training and education must include training on the firms’ policies relating to social media and the need to continuously monitor such sites.  Firms should also consider continuous refresher courses for their associated persons to make sure they remain vigilant of the need to consider how continuously changing technologies may be treated under the rules.