Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News September 26, 2011 Issue

Social Media Issues – Risks and Responses

Social media is more than a website, it is its own world.

Providing interactivity and community, social media websites become closed-in lands unto themselves. People enter and stay and they don’t come back out.

With that description, Morris, Manning & Martin partner Margaret Paradis launched into a discussion of social media issues for advisers on a panel at the ACA Compliance Group/ACA Insight Fall Compliance conference earlier this month.

Each site poses special issues, and offers new ways of communicating with the public. All communications are subject to requirements – recordkeeping, monitoring, etc. There are various ways to endorse content, and that should throw up red flags from a compliance perspective. If you "like" content on a site, could that be a testimonial?

Morgan Stanley just completed a highly touted rollout of social media support, with a variety of controls, observed Paradis. One control is that they will avoid any form of endorsement. Morgan Stanley determined that supporting social media communications was a viable option, and the firm made a business decision to do it. Compliance and legal cannot make the decision, she said, they can only provide the parameters for usage.

"You need to understand it has already intruded into your business," said Paradis, "and it’s the kind of breach regulators are looking for."

Firms can’t not have a policy.

At this point in time, it is not credible for firms to have no policy in place regarding social media, provide no training, and claim that they are unaware of social media usage with the firm, said panel moderator and ACA Compliance Group senior principal consultant Luke Wilson. Co-panelist Marla Roeser, director of compliance and risk management for Convergent Wealth Advisors, agreed. It is not reasonable to have a no-use policy and to sit back and say it’s understood and is being complied with, she said. Even under a policy of prohibition, training and monitoring for compliance with the prohibition must still occur.

Roeser said her firm permits social media access from "anywhere," whether on a personal or firm-provided device, with appropriate monitoring and preclearance tools. The strong message in the firm’s approach is to direct people to the web site for information. Information on social media sites and in tweets can become stale. The web site is up-to-date.

The initial challenges in social media monitoring are understanding the business need and understanding the technology, said Roeser. For example, her firm requires the "comment" and "like" features to be disabled as part of authorized use of social media. You must be careful to avoid adoption of content posted by others or entanglement with other linked content, she said.

There’s a lot of guidance for the use of social media out there, said Paradis, even if not specifically directed at advisers. FINRA issued guidance for broker-dealers back in 2010, and recently supplemented that guidance in a question-and-answer format. The SEC has posted internet and electronic media guidance that is older, but that guidance still can provide useful ideas for how to tackle social media issues.

Suitability is not a term normally associated with advisor responsibilities, but as a practical matter advisers must ensure the suitability of social media content. This is not the same as email monitoring, it is its own world, said Paradis. Social media is different from emails because it is not a one-on-one communication. It is a post, static content on a page that can be responded to by multiple and even unknown persons. Marketing policies and email policies must be updated and adapted to encompass this new media.

I think it’s safe to say a company shouldn’t do in social media what it wouldn’t do on its web site, said Wilson.

The SEC knows social media.

The SEC conducted a sweep of social media back at the beginning of the year, he said. As a result, now the SEC has a better understanding of how advisers are using social media. The sweep produced a number of deficiency letters focused on developing better policies and procedures and conducting training. Paradis noted that there have been some enforcement actions related to social media as well, but not necessarily adviser related. For example, FINRA brought an action against a registered representative who was "way out there," giving securities recommendations and updating them via tweets. FINRA banned the rep from the industry for a year.

The SEC has access to social media along with the rest of the world, and the staff will look at social media sites in advance of any examination or inquiry. They’re out there, and they know what your people are doing, said Wilson. In his experience, he’s seen the SEC walk into a firm for an examination with screen shots from social media sites and asking "Have you seen this? Are you aware of this?"

Social media’s biggest risk.

The biggest risk associated with permitting social media usage is keeping up with and understanding the technology, said Roeser. Change in this area is constant and the number of social media sites is growing. Her company maintains a Google alert for mention of the firm to help keep up, she said. It is important to understand how social media can be used, what its features are, and how it can expose your firm to compliance breaches.

Other risks.

Another important risk related to social media is reputational risk. Once you’re out there, you’re out there, said Roeser. Feedback is both positive and negative, and you should assume negative feedback is already out there, said Paradis. Social media is interactive and you’re going to be on the receiving end – be prepared!

It is challenging to keep up with the pace and change of social media, said Wilson. It is also imperative to do so. For example, he knew of an adviser representative who wanted to go on Groupon and sell 1/2 price financial plans. To do that, disclosure in the Form ADV and any brochures would need to be revised with respect to pricing and to note the potential for this discount and any other variations by the adviser, said Paradis. Even the most seemingly straightforward actions in social media can have far-reaching effects.

Wilson has seen links embedded on social media pages or in tweets that say "please click here for important disclosures." He wasn’t sure that approach completely mitigated risks, especially for advertising, but viewed it as a useful measure. Paradis also has seen some experimenting with embedding disclosures in tweets.

At a minimum, you’ve got to have view access to your employees’ web pages, but can you edit them?, asked Roeser. Paradis observed that some firms create pages for employees to manage that content through preclearance and other methods. For example, advisers can limit the ability of employees to "re-tweet" messages to avoid adoption of content issues. Think of it like article reprints, she said. Now it is your piece, and if something is wrong or a little misleading, it’s on you, said Roeser. Paradis agreed. When you pass something on you’re aligned with it, and you should have looked at it, she said.

How to handle complaints in cyberspace.

Paradis was amazed at how personal some postings are about financial complaints on corporate websites. Once people are on a site "they feel like they’re in a club and they just let loose," she said. The challenge here is to find a way to direct such communications out of and away from the social media website. Advisers should have a complaint policy already, and update it to accommodate social media situations, said Paradis.

Books and records can be tricky.

Another big area of risk is maintaining appropriate records, and all the records that are required, said Wilson. For example, say the adviser maintains a policy that employees may not use the firm’s name or securities-related information in social media communications. Is the adviser obligated to maintain records of an employee’s social media activities? Technically the answer is no, said Paradis. But what is the adviser’s basis for belief that the policy is being complied with? You have to test for compliance; annual employee certifications that they are complying with the policy are not enough, she said.

Training is fundamental.

Training is a big part of any social media compliance program, said Wilson. The SEC has specifically directed registrants to look at the FINRA guidance. Training is valuable in a variety of ways, too. For example, the firm’s policies on privacy and information security must be updated with respect to social media, and training can get the word out there.

Training is critical for a firm’s security protocols with respect to mobile devices. Are the devices password protected? Can you remotely wipe them if they’re lost or stolen?, asked Wilson. People lose their devices and don’t tell me right away, said Roeser. It is important to train here and make sure people know the policy is immediate reporting to prevent access to the information on the devices.

It is also important to impress upon your employees that it is not that easy to erase your footprints online, said Paradis. Nothing is ever lost, the SEC and Department of Justice can always get it. It is not like a phone call that came and went, she said, but people still analogize to that.

Admission has a price.

Surveillance of employee social media practices and adherence to firm policies is critical, said Paradis. There is a "price of admission" for social media, in that you have to invest in some form of surveillance technology.

How those costs are absorbed or passed on is up to the individual firm, but there should be no question that the technology is necessary.