Brokerages and other financial services firms turning to sites like Facebook and Twitter for marketing and customer outreach face a number of thorny social media compliance issues.
Earlier this year, the Financial Industry Regulatory Authority (FINRA), which oversees U.S. securities firms, released Regulatory Notice 10-06. The notice provides guidance on how FINRA rules governing public communications apply to use of social media sites by financial firms and their employees for business purposes.
FINRA said the notice was intended to protect investors from false or misleading information as use of social media sites increases while also allowing firms to take advantage of the new technology.
The social media compliance guidance made it clear that financial-services firms need to have a policy on what their representatives are allowed and not allowed to do on social networking sites, said Chad Bockius, CEO of Austin-based service provider Socialware Inc., which provides social media control services and published analysis of the FINRA guidance. The guidance also clarified that firms must archive social networking communications, just as they do email and instant messages, he said.
However, unlike email and IM, social networking sites have many features that impact FINRA's social media compliance guidance, he said. For example, firms aren't responsible for third-party comments on their social media sites, but if they endorse them using features like Facebook's Like button, they become responsible for the content. Another example: LinkedIn provides the ability to send a message to as many as 50 recipients, which would classify it as sales material that needs to be reviewed by the firm beforehand, he said.
"The underlying theme to all of this is social networks are changing on a monthly if not weekly basis. The compliance issues created by these sites are not static. That's very different from email and IM," Bockius said. "It's a new challenge for the financial industry."
It's a challenge that an increasing number of financial firms will need to tackle as social media becomes more of a business tool than something to block. According to a survey released earlier this year by LederMark Communications LLC, a Baltimore-based financial services marketing firm, 85% of financial services professionals under 50 use social media. The survey of 175 financial services executives also showed that 40% of professionals under 50 said their social media activity has led to doing more business.
"We have a FINRA-regulated customer who says the leads the firm gets through social networks are far better than leads they get through traditional marketing," said Sarah Carter, vice president of marketing at Belmont, Calif.-based FaceTime Communications Inc.
Financial services firms have been reluctant to allow use of social media but are beginning to loosen their policies, said Paul Smocer, president of the Financial Services Technology Consortium, the technical solutions division of the Financial Services Roundtable. They have security and productivity concerns with Twitter and other social networking sites, but are aware of a younger workforce that expects to have the ability to use social media at work, he said.
"Organizations also recognize while the fundamental technology might be different, the kinds of policies they have in place for what some might argue was the first social networking concept -- email -- apply in the new social media world," Smocer said.
The same concerns apply to both email and social media communications, he said: not making inappropriate statements, not acting as a company spokesperson, and not disclosing private information.
Social media presents organizations with security and compliance issues but also e-discovery concerns, said Ted Ritter, senior research analyst at Mokena, Ill.-based Nemertes Research Group Inc. Communications on social networking sites, both internal and external, need to be tracked and recorded.
"Whatever is going on there could come up in a legal action, so just as organizations have to track email and IM, they're going to have to track this stuff too because it will start coming up in litigation," he said.
Organizations need to implement social media controls that allow them to take advantage of the new technology but also restrict access and log communications, he said.
Vendors are beginning to offer technologies to control enterprise use of social media, including FaceTime, which last month added features to its Unified Security Gateway that allow companies to archive, pre-approve or block employee posts to Facebook, LinkedIn and Twitter. For example, organizations can use the software to allow workers to view Twitter messages but not post to the site, prevent employees from making recommendations on LinkedIn, and hold comments for review prior to posting.
Socialware offers a cloud-based service for controlling Facebook, LinkedIn, and Twitter. In April, the company launched Compass, which is built on its Social Middleware platform and gives companies the ability to archive social media communications, control employee access to features on the sites, and scan messages.
Some firewall vendors are looking to provide social media control, and Sunnyvale, Calif.-based Palo Alto Networks Inc. is making a big push in this area, Ritter said. Last month, the company released functionality that allows enterprises to control Facebook social plug-ins.
But technology is just one piece of a social media strategy -- education plays a big role, Ritter said. "A lot of employees are unaware of the risk they're putting their organization through by posting stuff on these sites," he said.
Matthew Todd, CSO and vice president of risk and technical operations at Financial Engines, Inc., a Palo Alto, Calif.-based independent investment advisor, agreed that education is key.
"Your employees are going to use social media whether you like it or not, which makes it critical to have policies around appropriate use. But policies are not enough, given the potential threats of social media," he said. "Companies need to remind their employees about phishing attacks, malicious programs, and even privacy implications. Who knows who might end up reading that tweet about you or your company?"