Social Networking Compliance

Think Before You Tweet!

What are the challenges for broker/dealers and investment advisers trying to use social networking sites?

Complinet hosted a webinar on this topic with Clifford Kirsch from Sutherland Asbill & Brennan LLP and Debbie Corej, Vice President, Compliance – Insurance Division, Prudential.

Clifford started the discussion by pointing out the need to think about who is using these communication tools and what they are using them for. There is not a single source for the legal rules on how to use social networking tools in compliance with the regulatory requirements. You have to fit these tools into the established regulatory frameworks.

Broker/Dealer

With respect to the supervisory structure, you should look at FINRA Rule 3010. You need a policy, whether you allow use of these tools or not. You should start by looking at FINRA’s Guide to the Internet.

The next focus is whether the tools are being used as advertising and sales literature. If so, then there are content requirements, filing requirements and reviews. There is new proposed FINRA Rule 09-55 that would streamline the approach to advertising. There is no specific reference to social networking. Many commenters did request some specific discussion of social networking.

Then next hurdle is record-keeping. Some site are easy to integrate with record-keeping. SEC Rule 17A-4 has extensive requirements.

Another issue is keeping track of complaints and filing complaints. That is hard to do in the free flow of information on social networking sites. What do you do if someone complains on Twitter?

Investment Advisers

As with brokers you still need a supervisory structure and examinations for risk. You should have a policy, pro or con.

With advertising and sales literature, the requirements are not as difficult as broker/dealers. There are no filing or pre-approval requirements. SEC Rule 206(4)-1 prohibits testimonials and selective discussion of past performance.

There are record-keeping requirements, so you need a system in place for preserving the records, even though they are created on a third party social networking site.

Real Life with Social Networking at Prudential

Debbie turned to some of the challenges in her organization. They have a big umbrella. Part of the challenge is controlling the technology itself.

Prudential does block some sites and is looking at ways to open access in a way they can control. There are competing interests in the company. Recruiters have a different use than marketing. Everybody has some need to use the tools to stay connected with colleagues and experts.

There are some vendors out there trying to meet the compliance requirements. But they are all new and untested. FINRA is not giving any particular blessing on a tool.

It is important that compliance understand the different features of a site and the terms and conditions for that site. Any one social social networking site is likely to have features that fall into multiple categories for compliance requirements.

For example, you should prohibit the recommendations feature of LinkedIn. You should have an internal person as a connection so that they get a notice of updates to profiles.

You need to have people submit correspondence for record-keeping internally and then review the account to make sure all of the correspondence has been submitted.

It is important to have a policy. It is also important that the policy is not freestanding but integrated with other policies, such as confidentiality. It’s possible that if you do not prohibit a tool, you may be implicitly allowing the use of that tool.

Of course you need to test compliance with the policies. If you are banning, you should search the site for employees’ names and your company name.

FINRA Task Force

FINRA has created a task force to look at social networking. (Debbie is on the task force.) FINRA is very interested in the topic and how the mechanisms can work in compliance. At the company-level it is easier to control and monitor than at the individual registered-representative level.

There is the problem of using the sites in personal level is hard to contain. What if a friend asks you a professional question?

FINRA is hosting a March 17 webinar: Compliance Considerations for Social Networking Sites.

What Went Wrong at Lehman?

DeMuro

Complinet interviewed David DeMuro, head of compliance at Lehman Brothers during its last days in 2008. It should come as no surprise that the warning signs were there for everyone to see but in the midst of a bubble, employees were too scared to raise their hand because there was still money to be made.

DeMuro did not blame the regulators, saying they were looking closely at the working of the investment bank. He did lay some blame on the Federal Reserve Bank: “The role of the Fed is to take away the punch bowl just as the party gets going. However, in recent times the Fed has chosen to add just a few more shots of vodka to the punch bowl to keep the party going.”

He did peg lots of blame on an over-reliance on financial risk models. There was also an “almost religious belief” in the veracity of the models.

See the webcast yourself (13 minutes): Complinet Interviews David Demuro

References:

FSA Berates Compliance Officers in Crackdown on Data Security Breaches

Joanne Wallen of  Complinet writes about the reaction of the U.K.’s Financial Service Authority: FSA Berates Compliance Officers in Crackdown on Data Security Breaches (.pdf).

The FSA focused on compliance officers for not putting enough focus on data security.

Examples of good practice at firms that the FSA visited included encrypting laptops and using secure internet links to transfer data to third parties. This was something that HSBC claimed it usually did, but the bank was caught out when its electronic system went down and it instead transferred the records of 370,000 life insurance customers onto a disc that it then sent in the post to its reinsurer at the beginning of February. As of the beginning of April, the disc had not yet turned up. Other examples of best practice include masking customers’ financial details where they are not necessary for staff to do their jobs and appointing a senior manager with overall responsibility for data security.

Evolution of Compliance

I watched a recorded webinar presented Complinet: Compliance Evolution: Lessons Learned, Forgotten and Ignored. (March 13, 2008) Betsy Prout Lefler, the Deputy Director of Compliance at Piper Jaffray and Co. gave the presentation.

There are many different perspective on compliance and what compliance professionals do. In part because the role has changed very quickly.

At first is was only about procedures and monitoring designed to deter and deter violations of applicable laws and regulations. Now, compliance is involved in the CEO certification process, internal controls (SOX) and risk based reviews of company action.

Regulators originally gave little guidance on the role of compliance. Now compliance officers need to be involved in the SEC review process. Compliance officers need to understand not only the regulations, but also need to know the industry, the operations of the company and the products offered. CCO is not a risk manager and a strategist.

Betsy referred to the SIA 2005 Role of Compliance White Paper. This white paper tries to establish a model for compliance professionals thorughout the industry. She also notes that in 2003 the SEC began a formal approach to assessing a company’s culture of compliance.

What has caused evolution?

  • Regulatory changes – there are increasing number of regulations in the financial industry
  • Scandals – each scandal triggers more regulations and more concerns
  • Technology – more and more technology means more and more information

She things technology has made some of the biggest changes. Technology can be a compliance officer’s best friend. It is much easier to find and track issues and trends. Technology can help automate compliance. But technology can also be your worst enemy. There are lots of smoking gun emails. Technology can also automate non-compliance. Technology glitches can cause misstatements.

Don’t get stuck on “how we used to do it.” The role is evolving.