FINRA Guidance on Social Media Used for Business Purposes
Use of social media websites for business purposes should be treated no differently from any other business-related electronic communication. Firms must ensure they have sufficient systems, policies and procedures to supervise, review and retain business communications made using social media sites.
Regulatory Notices (“RN”) 10-06 and 11-39
In January 2010, FINRA released RN 10-06 to provide guidance to its members on how to handle issues relating to the use of social media websites by firms and their associated persons. Twenty months later in August 2011, in response to questions from members, FINRA issued RN 11-39, supplementing the guidance in RN 10-06. In these regulatory notices FINRA focused on the member firm’s recordkeeping, suitability, content and supervision responsibilities with respect to the use of social networking sites and technology used by the firm or its personnel for business purposes.
FINRA stopped short of prescribing the type of procedures that a firm should adopt for this purpose, and relied on the broad statement that “each firm must develop policies and procedures that are best designed to ensure that the firm and its personnel comply with all applicable requirements.”
Prior to the use of any social media site for business purposes by an associated person, a registered principal of the firm must review and evaluate the content of the proposed message in the final form in which it will be “launched.” Firms should prohibit any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision. Firms should also conduct training and education concerning its policies as they relate to social media.
FINRA makes a distinction between social networking communications and blogs that are “interactive” and those that are “static.” Under NASD Rule 2210, a “public appearance” includes participation in interactive blogs and chats. These interactive communications about the business of the firm do not require prior approval by a registered principal. FINRA advises firms that they may want to adopt risk-based procedures to randomly spot-check, search and review such communications to ensure they do violate any FINRA and SEC rules with respect to content or otherwise. However, the software of many firms that archives electronic communications is unable to capture interactive communications on social media sites.
A static posting on a social media site relating to the business of the firm is an “advertisement” under NASD Rule 2210. This means that it requires approval by a registered principal prior to posting. It is possible that interactive content can become static, for example when it is copied and posted in a static forum, in which case it would then require prior approval before posting. More commonly, static information relates to or describes a firm’s business and is posted on the “wall” of someone’s Facebook page or profile information on LinkedIn. Any material change to this static information will also require prior approval before it can be posted. LinkedIn is a social networking site that is driven primarily by business communications. FINRA states in RN 11-39 that whereas sending a resume to a potential employer could be viewed as not involving firm business, posting a list of products and services offered by the firm likely is a business communication that requires prior approval before posting.
Firms may also have difficulty supervising an associated person who recommends a security to a customer via a social media site. This will generally trigger a suitability obligation or other requirements under the federal securities laws. FINRA has brought disciplinary actions relating to interactive electronic communications that contained misleading statements about the investment products recommended in the communication. RN 10-06 states that as a best practice firms should consider prohibiting all interactive electronic communications that recommend a specific investment product and any link to the recommendation unless the content had the prior approval of a registered principal.
Similar to email and other electronic correspondence of the firm, communications made through social media for business purposes must be preserved for at least three years, for the first two years in an “accessible” place. It does not matter whether the business communication is delivered via a firm-issued or personal device nor whether it is a static or interactive communication so long as the firm can retain, retrieve and supervise the communication. This is precisely the reason that firms should have robust policies and procedures and training and education. Firms should also make it clear to all associated persons that they must engage in business communications only via a firm system which can be retained, retrieved and supervised. Otherwise, firms should ensure that associated persons that are permitted to use their own personal devices for business communications have a separately identifiable application on the device for the business communications that are accessed through a secure portal into the firm’s system. This will allow firms to review only the business communications, although FINRA does state that firms are free to treat all communications made through the personal device as business communications.
Third-Party Posts, Links and Websites
Firms must not establish a link to any third-party site which they know or have reason to believe contains false or misleading content. A firm will be responsible for the content of a linked third-party site if the firm “adopts” or becomes “entangled” with its content. FINRA defines adoption to include the firm’s endorsement of the content of a third-party site and entanglement where the firm participates in the development of the content of a third-party site. According to FINRA, and pursuant to NASD Rule 2210, a firm or associated person that “co-brands” a third-party website by placing the firm’s logo prominently on the site is responsible for the entire site under the adoption theory.
So long as the firm does not adopt or become entangled with a customer or other third-party post on a social networking site, the firm will not be responsible for supervising or retaining the third party’s communication. The firm may also delete inappropriate third-party content without being deemed to have adopted the content of that same third-party that was not deleted. Firms may want to consider including a disclaimer on their site to inform investors and/or customers that any third-party statements are not the views of, or endorsed by, the firm. The FINRA Social Networking Task Force has said that some firms monitor third-party posts on firm websites to mitigate the perception of adoption. The Task Force has also stated that other best practices include:
- establishing appropriate usage guidelines for customers and other third-parties that are permitted to post on firm-sponsored websites;
- establishing processes for screening third-party content based on the expected usage and frequency of third-party posts; and
- disclosing firm policies relating to its responsibility for third-party posts.
If a third-party posts a business-related communication on an associated person’s personal social media site, the associated person may respond so long as this is done in compliance with the firm’s policies and procedures, meaning it is pre-approved by a registered principal and the communication is retained as part of the firm’s books and records.
While the advent of social media sites has made a major impact on how business is conducted, firms need to recognize that these sites should be treated no differently than any other medium that is used to communicate for business purposes. So long as this technology is used by the firm or permitted to be used by a firm’s associated persons, the firm must have clear policies and procedures to supervise the activities, and systems in place to capture the records of the communications. Firms must also recognize and distinguish between interactive and static content to ensure they are supervised appropriately, and take precaution when dealing with third party links and posts.
All of this can be dealt with the same way that firms currently supervise email and other permitted electronic communications. It starts with the firm having very clear and robust written supervisory policies and procedures.
If you have any questions on anything written herein or require assistance in amplifying and adapting your firm’s procedures to deal with this developing technology and the recent FINRA guidance, please contact Ethan L. Silver (212-238-8687, email@example.com) or Faith Colish (212-238-8873, firstname.lastname@example.org).
 Securities Exchange Act Rule 17a-4(b)(4).
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
© 2018 Carter Ledyard & Milburn LLP.
© Copyright 2011