Enterprise social software is on fire. Financial services organizations have jumped on the bandwagon and are beginning to use platforms like Jive, SharePoint, Connections, Yammer, and others to collaborate and enhance productivity. But, lurking in the shadows is the Financial Industry Regulatory Authority (FINRA) whose Regulatory Notices 10-06 and 11-39 apply equally to these platforms, just as they do to Facebook, LinkedIn, and Twitter, everybody’s social media darlings.
This means that compliance officers and legal counsel have to meet similar governance requirements as the ones for email and IM when deploying social software technologies.
This whitepaper details:
• Key rules, guidelines, and notices that impact FINRA member firms’ use of enterprise social software
• Potential risks of social software use
• 9 tips on how firms can utilize social software without incurring FINRA’s wrath
9 Keys to FINRA Blessing Enterprise Social Software Use
1. 9 Keys to FINRA Blessing
Enterprise Social Software Use
2. Contents
Executive Summary...........................................................................3
Growth of Enterprise Social Software..................................................4
Compliance Risks..............................................................................4
Regulatory Risks...............................................................................5
Legal Risks.......................................................................................6
User Behavior and Policies.................................................................6
Key Rules.........................................................................................7
FINRA Rule 2210 (Communications with the Public)............................7
NASD Rule 3010 (Supervision)...........................................................8
FINRA Rule 4511 (Books and Records)...............................................9
Key FINRA Notices..........................................................................10
Regulatory Notice 07-59 (Supervision of Electronic
Communications)............................................................................10
Regulatory Notice 10-06 (Social Media Websites)..............................11
Regulatory Notice 11-39 (Social Media Websites and Use of
Personal Devices)............................................................................12
How Actiance Meets FINRA Compliance Requirements.......................13
Vantage..........................................................................................13
Nine Steps to ESS Compliance.........................................................14
About Actiance................................................................................15
| Privacy Controls for Facebook
3. Executive Summary
In January 2010, the Financial Industry Regulatory Authority (FINRA)
issued Regulatory Notice 10-06, its latest guidance in a series on
electronic communications specifically related to social media websites.
The growth in social networking is huge and is now matched by the
adoption of enterprise social software (ESS). Organizations are deploying
ESS for their employees, partners, and customers to accelerate business
process through improved collaboration and expertise discovery. A social
business embraces networks of people to create business value. They do
this by deepening their relationships with customers, driving operational
effectiveness, and optimizing their workforce.
With the publication of FINRA Regulatory Notice 10-06, compliance
officers now know that they have to meet similar requirements that
have existed for email and instant messaging when evaluating social
software technologies. This whitepaper sets out some of the key rules,
guidelines, and associated risks for FINRA member firms and suggests
ways that organizations can use technology to protect themselves and their
registered representatives.
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 3
4. Growth of Enterprise Social Software
Over the past decade, organizations have been shifting an increasing
number of enterprise tasks and content over to collaboration platforms
like Jive, SharePoint, Connections, Yammer, to name a few. Additionally,
enterprises are now leveraging these platforms’ social media capabilities,
such as exchanging documents, posting blog entries, and soliciting
feedback (i.e., basically anything that facilitates collaboration and
enhances employee productivity).
The growth of these platforms is reflected in the following data points:
•• Enterprise Social Software space is expected to reach $2 billion by
2014 (Source: IDC).
•• Among all of Microsoft’s server offerings, SharePoint achieved $1
billion in annual revenue in the shortest amount of time.
•• Microsoft acquired Yammer for $1.2 billion (June 2012).
•• 61% reduction in time spent on compliance activities through the use
of social software (Deloitte Center for the Edge Study, March 2011).
The bottom line is that many stakeholders have benefited from the growth
of social business platforms.
Compliance Risks
The risks that ESS tools pose are very similar to those of other electronic
communications like email: non-compliance with government and industry
regulations and substantial litigation and eDiscovery costs. Just like email,
the principles for applying policies and remaining compliant remain
the same.
A sampling of regulations and statutes outside of FINRA guidelines that
relate to the governance of ESS content are listed here:
4 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
5. Regulation or Impact
Rule
Gramm-Leach-Bliley Information protection, monitor for sensitive content and ensure
Act (GLBA) not sent over public channels (e.g., Twitter).
Investment Advisers Investment advisers are prohibited from publishing, circulating, or
Act of 1940 distributing any advertisement which refers, directly or indirectly,
to any testimonial of any kind concerning the investment adviser or
concerning any advice, analysis, report, or other service rendered
by such investment adviser.
SEC 17a-3 and 17a-4 Specifies the types of electronic records that must be preserved.
Also specifies the manner and length of time that the records
maintained by broker-dealers must be preserved.
PCI Ensuring cardholder data is not sent over unsecured channels and
proving it has not occurred.
Federal Rules of Civil Email and IM are ESI (Electronically Stored Information). Posts to
Procedure (FRCP) social media sites must be preserved if reasonably determined to
be discoverable.
Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company
reporting. This means all IM and social media “conversations”
are relevant.
Regulatory Risks
The problem for regulated financial institutions is that inappropriate use
of such widely available communications and collaboration tools can mean
non-compliance with government and industry regulations, resulting in
hefty fines, potential loss of business, and fraud.
In 2011, FINRA discovered that Jenny Ta, a registered broker in
California, failed to inform a registered firm principal that she had a
Twitter account, which she used periodically to tout a specific stock.
Moreover, FINRA found that her tweets often predicted an imminent price
increase and that she didn’t disclose her family’s substantial position in
that stock – all of which violated FINRA rules. She got caught and was
fined $10,000 and suspended for a year.
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 5
6. Similarly, in 2012, the SEC filed an enforcement action against Anthony
Fields, an Illinois-based investment advisor, accusing him of making
“fraudulent offers” of more than $500 billion in “fictitious securities
through various forms of social media,” namely, LinkedIn.
Legal Risks
Virtually all company data is subject to discovery should legal action be
taken, including communications traffic over blogs, wikis, discussion
forums, bookmarks, social media, and unified communications. At the
end of the day, these are all simply forms of “electronic communications.”
The process of archiving, storing, and making these conversations and
posts easily retrievable for not just regulatory compliance, but also for
legal holds and eDiscovery purposes, is made complex by the multi-
dimensional nature of these conversations. For example, a wiki or blog
post can include numerous contributors and respondents, each one
commenting, replying, deleting, and editing content. In essence, this
dynamic interchange of content underscores the importance of context.
For instance, who said what and when, and did he or she edit or delete any
comments? This chronology and context is thus very crucial.
User Behavior and Policies
Social communities, wikis, profiles, and blogs offer huge productivity
benefits when used in the context of business processes, but they
also require comprehensive governance and usage guidelines. These
guidelines can be added to existing Acceptable Use Policies (AUPs) for
other electronic communications or IT equipment. Well-constructed social
computing guidelines can help educate employees about the appropriate
uses of these applications. Employees have to understand that they are
responsible for the content they share, should respect opinions of others,
and must protect confidential information.
6 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
7. Unlike many other industries, registered representatives are duty-bound to
follow the rules and regulations surrounding electronic communications.
For this reason, it is very important to have good communication and
education components in your social software deployment plan. The
concepts are not complex; they just need to be communicated clearly to
establish acceptable behavior. It is also a best practice to establish a
social computing subject matter expert to answer any questions about the
guidelines and the desired behavior.
Key Rules
FINRA Rule 2210 (Communications with the Public)
In February 2013, FINRA replaced NASD Rules 2210 and 2211 and
NYSE Rule 472 with FINRA Rule 2210, which governs communications
with the public. The new rule reduces the number of communications
categories from six to three, two of which pertain to social media:
Correspondence
Correspondence includes any written (including electronic) communication
that is distributed or made available to 25 or fewer retail investors within
any 30 calendar-day period.
Retail communication
Retail communication includes any written (including electronic)
communication that is distributed or made available to more than 25 retail
investors within any 30 calendar-day period. A “retail investor” includes
any person other than an institutional investor, regardless of whether
the person has an account with the firm. Communications that formerly
qualified as advertisements and sales literature generally now fall under
the definition of “retail communication.”
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 7
8. Compliance considerations
•• Regulatory Notice 10-06 does pave the way for registered
representatives to participate in real-time communications, but care
still needs to be given to the content of the message.
•• Under FINRA 2210, communications with the public must be based
on the principles of fair dealing; misleading statements, exaggerated
claims, and predictions of investments are strictly forbidden.
•• Sharing or republishing a comment from a third party is likely to be
considered an endorsement, as is “Liking” a comment on Jive or
Salesforce Chatter, thus caution is urged.
Compliance recommendations
Given that human error or judgment is frequently found to be a
contributing factor in most adverse situations, organizations began
implementing content filtering systems for their email platforms a long
time ago. Companies need to implement a solution that provides content
filtering for messages posted to a wide range of real-time communications
tools, including ESS to ensure that all messages are appropriate.
NASD Rule 3010 (Supervision)
“Members must establish, maintain and enforce written procedures
for communications”; the inclusion of electronic communications was
confirmed in Notice 99-03. Furthermore, 10-06 reminds members
that under NASD Rule 3010 members must supervise social media
communications “in a manner reasonably designed to ensure that they do
not violate the content requirements of FINRA’s communications rules.”
Compliance considerations
•• It is not possible to supervise communications if the organization
does not have visibility of all electronic communications tools in use
on its network.
8 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
9. •• An enterprise should standardize on its use of electronic
communications tools, including social applications, for its employees
and customers to meet collaboration requirements. This will
decrease the temptation to download other applications that may
have been specifically designed to avoid detection by traditional
security measures.
Compliance recommendations
In order to be able to enforce communications policies, enterprises need
to implement technology that is able to provide visibility into all ESS tools
on the network and the ability to block or control their usage.
FINRA Rule 4511 (Books and Records)
Firms are obligated to: (1) make and preserve books and records as
required under FINRA and SEC rules; and (2) preserve the books and
records in a format and media that complies with SEC Rule 17a-4.
Requires firms to preserve for a period of at least six years FINRA books
and records for which there is no specified retention period under
applicable FINRA or SEC rules.
Compliance considerations
• ESS platforms offer little to no native archiving functionality, making it
difficult to comply with FINRA or SEC rules that require, if appropriate,
the review “by a supervisor of employees’ incoming, outgoing and internal
electronic communications.”
• Native archiving functionality offered by ESS is rarely able to provide a
granular breakdown of conversations by persons (including buddynames),
key phrases, and timeframes, which are essential for compliance and
eDiscovery requirements.
• This is further complicated by the multitude of modalities used in
conversations - from IM to blogs to wikis.
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 9
10. Compliance recommendations
Enterprises should deploy a central archiving system that enables
easy review of posted messages and detailed analysis of electronic
conversations, including file downloads both internally and externally,
complete with an audit trail of the auditor reviewing the information.
In addition, the information should include who joined a conversation,
when and when they left, any disclaimers shown (at the beginning of a
conversation, for instance), and call detail records for voice calls, group
meeting sessions, etc.
Key FINRA Notices
Regulatory Notice 07-59 (Supervision of Electronic
Communications)
In the ever-expanding role of electronic communications in Regulatory
Notice 07-59, Supervision of Electronic Communications, FINRA suggests
that members consider taking steps “to reduce, manage or eliminate
potential conflicts of interest, to prevent electronic communications
between certain individuals/groups or monitoring communications as
required by FINRA rules.”
Compliance considerations
•• In certain situations, there may be a requirement to restrict electronic
conversations between internal personnel, such as between non-
research and research departments. In addition, there may be a
requirement to restrict electronic communications between specific
persons from different organizations, while still allowing broad
communication with others.
10 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
11. •• Though it is easy for a registered representative to recognize in a
one-to-one instant message conversation whether or not they should
be talking to the individual, with the popularity of features such as
discussion forums within a community, it is now a considerable risk.
Compliance recommendations
Implement ethical walls at both a group and domain level to ensure that
conflicting personnel do not accidentally “meet” electronically and to
maintain a full audit trail that clearly displays when an individual joined a
meeting and subsequently left. In addition, the use of disclaimers when a
member joins a meeting can help to reinforce the message.
Regulatory Notice 10-06 (Social Media Websites)
The release of Regulatory Notice 10-06 from FINRA makes it very clear
that all electronic communications shared via the Internet should be
treated in just the same way as if it were shared in person or in non-
electronic written communications.
Compliance considerations
•• Social media is a dynamic medium that relies on real-time (or near
real-time) interaction between participants to be a useful resource
for information and communication. Allowing unfiltered access raises
the possibility of an employee accidentally or deliberately saying
something inappropriate.
•• Moderating every post manually will increase the overhead of
using social media and may also add an element of delay to the
“conversation” that offsets the benefit of using the medium.
Compliance recommendations
Educate users to understand what is considered appropriate content.
Implement filters or moderation processes that can control the content
posted to external social media sites.
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 11
12. Regulatory Notice 11-39 (Social Media Websites and Use of
Personal Devices)
In this notice, FINRA provides further guidance for firms on applying
rules governing communications with the public when using social
media. In short, firms are reminded that existing rules for recordkeeping,
suitability, supervision and content requirements all apply to social media.
Additionally, FINRA clarified the following points:
•• The content of the communication is determinative, not the
communication channel.
•• A firm is subject to the “adoption” and “entanglement” theories
regarding third-party posts.
•• Business communications over personal devices must be retained,
retrievable, and supervised.
Compliance considerations
•• Mobile devices are increasingly being used for business
communications, which means they are subject to regulatory
requirements, even if the device in question is a personal device.
Compliance recommendations
Create or revise policies to incorporate business communications
conducted over personal devices. Implement technology
solutions to ensure that such communications are captured for
recordkeeping purposes.
12 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
13. How Actiance Meets FINRA Compliance Requirements
Vantage
Vantage is Actiance’s governance solution for enterprise social software. It
complements today’s archiving systems by providing a level of granularity
that ensures any information governance strategy is executed seamlessly.
Actiance’s Collaboration Framework underpins the capture of this wealth of
data, maintaining the context of conversations and posts and storing them
natively. Additionally, the framework provides organizations the flexibility
of conducting eDiscovery from the Actiance database (thus facilitating
contextual review), the customer’s own archive, or perhaps from a third-
party archive.
Today’s archiving solutions just grab all collaboration content without
providing any real-time insight into the meaning of the data. Vantage’s
content-inspection technology features real-time alerts to detect potential
loss or exposure of intellectual property and violations of corporate policy,
such as the use of inappropriate language (e.g., inflammatory comments).
Its policy framework allows granular policies to be defined between groups
of employees, ensuring enterprises remain compliant. All of the available
compliance controls were designed to address the key government and
industry regulations (e.g., FINRA, SEC, FRCP, Sarbanes-Oxley, FERC).
Some key features of Vantage include the following:
•• TrueComplianceTM: Tamper-proof archiving of content; Real-time
content inspection; Preservation of message or conversation order.
•• Real-time alerts: Send real-time alerts based on content detected
(e.g., abusive language, trade secrets); Scans content within files.
•• Granular policy control: Define capture policies at a granular level to
map to compliance or corporate governance standards.
•• Contextual capture: Content shown in context of other related items in
reviewer UI.
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 13
14. Nine Steps to ESS Compliance
1. Gain visibility into all communications tools
The first step in any security review is to carry out an audit. Even if
the use of real-time communications and social applications has been
banned within the enterprise, the likelihood is that users will have
found a way to circumvent any measures put in place.
2. Develop policies taking into account FINRA guidelines
An acceptable use policy (AUP) will let users know exactly what they
can and can’t do with respect to ESS applications. Don’t forget to
include that the organization has the right to monitor all traffic and
to remind registered representatives that they are bound by FINRA
regulations, even if they are not using the company network.
3. Implement monitoring technology
The only way to see who is using what, how often, and when is to
implement monitoring technology. Even if a business chooses to ban
specific real-time applications, without monitoring in place, they can
never be certain that users are actually complying.
4. Ensure granular access
Not all employees need access to every aspect of real-time
communications tools or social applications. In the same way
organizations block certain file types (e.g., only the marketing
department can receive GIFs and JPEGs), consider limiting the various
types of real-time communications by job function.
5. Apply policy management and control
Apply centralized policy management and control with a single
solution for all elements of email, instant messaging, and social
applications in use in the enterprise. Use Active Directory
integration to set and enforce global, group, and individual-level
communications policies.
14 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
15. 6. Enable content filtering
Ensure content posted and messages sent can be monitored where
necessary. Use lexicons to efficiently monitor for sensitive keywords,
phrases, and regular expressions.
7. Send alerts
Limit the potential damage of inappropriate or inflammatory content by
utilizing alerts.
8. Capture edits and deletes
Edits and deletions are just as important as unchanged content.
Ensure you have policies and systems in place to record content that
was revised or removed.
9. Archive
Whether you need to retrieve messages for litigation, to substantiate
a compliance issue, or just to confirm a contractual modification, all
business messages need to be stored securely.
About Actiance
Actiance® is a global leader in communication, collaboration, and social
media governance for the enterprise. Its governance platform is used
by millions of professionals across dozens of industries. With the power
of communication, collaboration, and social media at their fingertips,
Actiance helps professionals everywhere to engage with customers and
colleagues so they can unleash social business.
The Actiance platform gives organizations the ability to ensure compliance
for all their communications channels. It provides real-time content
monitoring, centralized policy management, contextual capture of content
and smart archiving which improves the efficiency and cost-effectiveness
of eDiscovery and helps protect users from malware and accidental or
9 Keys to FINRA-Blessed Use of Enterprise Social Software | 15