[25453]
August 31, 2011
TO: ADVERTISING COMPLIANCE ADVISORY COMMITTEE No. 11-11CLOSED-END INVESTMENT COMPANY MEMBERS No. 69-11
COMPLIANCE MEMBERS No. 38-11
SEC RULES MEMBERS No. 107-11
SMALL FUNDS MEMBERS No. 57-11
TECHNOLOGY COMMITTEE No. 9-11 RE: FINRA ISSUES SOCIAL MEDIA GUIDANCE
FINRA recently issued a regulatory notice, providing guidance on how FINRA rules governing communications with the public apply to social media sites. [1] The Notice, which was in question and answer format, addressed issues related to: recordkeeping; supervision; third-party posts, third-party links and websites; and accessing social media sites from personal devices. It also provided related background information on certain of these topics and data feeds. The Notice is summarized below.
Background
Similar to the 2010 Notice, the 2011 Notice provides that Rule 17a-4(b) under the Securities Exchange Act of 1934 requires broker-dealers to retain “originals of all communications received and copies of all communications sent by the broker-dealer relating to its business as such.” Also like the 2010 Notice, the 2011 Notice states that FINRA considers unscripted participation in an interactive electronic forum to come within the definition of “public appearance” (thus permitting firms to adopt risk-based supervisory procedures rather than requiring prior principal approval).
Consistent with the 2010 Notice, the 2011 Notice provides that, under NASD Rule 3010, a registered principal must review, prior to use, any social media site that an associated person intends to employ for a business purpose. With respect to links to third-party sites, the Notice states that firms may not establish a link to any third-party site that the firm knows or has reason to know contains false or misleading content. Additionally, a firm is responsible for content on a third-party site if it has adopted or become entangled with its content.
With respect to data feeds, the Notice states that firms must adopt procedures to manage data feeds into their own websites. According to the Notice, firms must: (i) be familiar with the proficiency of the data vendor and its ability to provide data accurate as of the time it is presented on the firm’s website; and (ii) understand the criteria followed by vendors in gathering or calculating the types of data the firm intends to feed into its website, to determine whether the vendor is performing this function in a reasonable manner. In addition, firms should regularly review aspects of data feeds for any red flags that indicate that the data may not be accurate, and should promptly take necessary measures to correct any inaccurate data.
Questions and Answers
Recordkeeping
According to the Notice, whether a communication is subject to the recordkeeping rules does not depend on whether an associated person uses a personal device or technology to make the communication. Rather, the content of the communication is determinative, regardless of the type of device used to make the communication.
Whether an associated person’s posting of autobiographical information is a business communication depends on the context. In certain contexts, such as sending a resume to a potential employer, the communication could be deemed irrelevant to the firm’s business. In other contexts, such as posting of autobiographical information along with a list of the firm’s products, the communication likely would be a business communication.
Neither firms nor their associated persons may use communication devices or sponsor social media sites that include technology which automatically erases or deletes the content (because it would preclude the ability of the firm to retain the communication for Rule 17a-4 purposes.)
The recordkeeping requirements apply to third-party posts to a firm’s or an associated person’s social media sites relating to its business as such.
The recordkeeping requirements do not differ for static and interactive communications because the requirements are implicated based on the content of the communication.
Supervision
According to the Notice, interactive content can be become static (and therefore constitute an advertisement subject to prior principal approval under Rule 2210) if, for example, it is copied or forwarded and posted in a static forum, such as a blog.
To monitor compliance with social media policies, firms must conduct appropriate training and education concerning such policies, and follow up on red flags that indicate associated persons are not complying with the policies. [2]
Firms are expected to adopt procedures requiring prior principal approval of any material changes to static content posted by a firm or its associated persons on a social media site (consistent with requirements regarding any other type of advertisement or sales literature that has been materially changed).
Third-Party Posts, Third-Party Links and Websites
According to the Notice, an associated person only may respond to a third-party business related communication on his or her personal social media site if responding does not violate the firm’s policies. The Notice goes on to point out that some firms prohibit substantive responses in this circumstance but permit a non-substantive response. In that instance, firms may pre-approve statements that their associated persons may make to respond to such posts and that direct the third-party to other firm-approved communications media (e.g., the firm’s email system).
A firm that co-brands any part of a third-party site, such as by placing the firm’s logo prominently on the site, is responsible for the content of the entire site.
A firm may establish a link to a third-party site without assuming responsibility for the content of the site under Rule 2210 if: (i) the firm does not adopt or become entangled with the content of the third-party site; and (ii) the firm does not know or have reason to know that the site contains false or misleading information.
The fact that a firm has a policy of routinely blocking or deleting certain types of content to ensure the content is appropriate does not mean the firm has adopted the content of the posts remaining on the site.
Statistical information that a firm regularly updates on its website pursuant to templates is not required to be approved by a principal prior to each update.
Accessing Social Media Sites from Personal Devices
According to the Notice, firms may permit their associated persons to use any personal communications device, whether owned by the associated person or the firm, for business communications. The firm must, however, be able to retain, retrieve, and supervise business communications regardless of whether they are conducted from a device owned by the firm or the associated person. If the firm has the ability to separate business and personal communications, and has adequate electronic communications policies and procedures regarding usage, then the firm is not required to supervise the personal emails made on these devices.
Dorothy M. Donohue
Senior Associate Counsel
endnotes
[1] See FINRA Regulatory Notice 11-39, Social Media Websites and the Use of Personal Devices for Business Communications, (August 2011) (“Notice” or, alternatively,“2011 Notice”), available at http://www.finra.org/Industry/Regulation/Notices/2011/P124187. FINRA previously issued a notice on social media, Regulatory Notice 10-06, Social Media Web Sites: Guidance on Blogs and Social Networking Websites, which is summarized in ICI Memorandum No. 24103, dated January 27, 2010 and which can be accessed on FINRA’s website at http://www.finra.org/Industry/Regulation/Notices/2010/P120760.
[2] The Notice specifies that a firm’s policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.