Memo #
25766

SEC OCIE Issues a National Examination Risk Alert Providing Insights Regarding Investment Advisers' Use of Social Media
| Print

 

[25766]

January 5, 2012

TO: ADVERTISING COMPLIANCE ADVISORY COMMITTEE No. 1-12
COMPLIANCE MEMBERS No. 1-12
INVESTMENT ADVISER MEMBERS No. 1-12
SMALL FUNDS MEMBERS No. 1-12
TECHNOLOGY COMMITTEE No. 1-12 RE: SEC OCIE ISSUES A NATIONAL EXAMINATION RISK ALERT PROVIDING INSIGHTS REGARDING INVESTMENT ADVISERS’ USE OF SOCIAL MEDIA

 

As you may know, one of the newer initiatives of the SEC’s Office of Compliance Inspections and Examinations (OCIE) is to provide SEC registrants staff observations on issues reviewed in inspections. The vehicle to communicate such observations is a new publication, “National Examination Risk Alert” (“Risk Alert”), which OCIE plans to publish from time to time. [1] OCIE has published its first Risk Alert relating to investment advisers, “Investment Adviser Use of Social Media.” [2] The Risk Alert notes that the information it includes “is not intended as a comprehensive summary of all compliance matters pertaining to the use of social media” by registered investment advisers (“RIAs”). Instead, the information is intended to “assist RIAs in designing reasonable procedures designed to prevent violations of the Advisers Act and other federal securities laws with respect to firm, investment advisory representative (‘IAR’) and solicitor . . . use of social media.” [3]

Staff Observations

The Staff Observations comprise the bulk of the Risk Alert’s contents. These observations are broken into three categories: “Compliance Program Related to the Use of Social Media;” “Third-Party Content;” and “Recordkeeping,” each of which is briefly summarized below. Prior to this discussion, readers are cautioned that the observations are a “non-exhaustive list of factors that an investment adviser may want to consider when evaluating the effectiveness of its compliance program” relating to the use of social media. Such factors, however, should not be construed as a safe harbor or a checklist for SEC examiners. [4]

Compliance Program Related to the Use of Social Media

The factors an investment adviser may want to consider when reviewing the portion of its compliance program governing social media include:

  • Usage Guidelines – Have IARs received guidance on the appropriate and inappropriate use of social media, including any restrictions/prohibitions the firm determines are necessary “based on the firm’s analysis of the risk to the firm and its clients” from using social media?
  • Content Standards – Has the content created by the firm or its IARs implicated the adviser’s fiduciary duty or other regulatory issues? Has the firm articulated clear guidelines regarding permissible content and whether any content is prohibited or restricted?
  • Monitoring – Has the firm determined how to effectively monitor the firm’s social media sites or use of third-party sites, including those that may not provide complete access to a supervisor or compliance personnel?
  • Frequency of Monitoring – Has the firm decided how to monitor (e.g., using a risk-based approach) social media postings and how frequently (e.g., periodic, daily, or real time)? In making these determinations, has the firm considered the volume and pace of communications posted on a site or the nature of, and probability to mislead contained in, the subject matter discussed? [5]
  • Approval of Content – Has the firm considered whether the content should be pre-approved?
  • Firm Resources – Has the firm dedicated sufficient resources to monitor social media activity, including its use by numerous IARs or solicitors? Has the firm considered using sampling, spot checking, or lexicon-based or other search methodologies, or a combination of methodologies, to monitor social media use and content?
  • Criteria for Approving Participation – With regard to any social media site used by the firm, its IARs, or its solicitors to conduct business, has the firm considered such site’s reputation, its ability to remove third-party posts, its controls on anonymous postings, and its advertising practices?
  • Training – Has the firm implemented a training program related to social media to promote compliance and prevent violations of the law or the adviser’s compliance policies?
  • Certification – Has the firm considered whether to require IARs and solicitors to certify that they are complying with the firm’s social media policies and procedures?
  • Functionality – Has the firm considered, with respect to each social media site used by the firm, its IARs, or its solicitors, whether the site’s current functionality presents a risk to the firm or its client and how any future upgrades/modifications to its functionality will be reviewed for risk?
  • Personal/Professional Sites – Has the firm considered whether to adopt policies for IARs or solicitors who conduct firm business on personal or third-party social media sites and whether such policies should limit the content on sites that are not operated, supervised, or sponsored by the firm?
  • Information Security – Has the firm considered whether permitting its IARs access to social media sites poses any information security risks to the firm or its clients and, if so, has the firm adopted policies to create appropriate firewalls to prohibit any non-public information from being accessed or compromised?
  • Enterprise Wide Sites – If the adviser is part of a larger financial services organization, has the adviser considered whether to create usage guidelines that would prevent the firm-wide usage of social media from violating the Advisers Act?

Third-Party Content

As regards third-party content – i.e., advisers that permit third parties to make postings on their social media sites – the Risk Alert notes that advisers may want to have policies and procedures concerning such postings, including those posting that may constitute testimonials in violation of the federal securities laws. It notes that, while the determination of whether a third-party posting is a testimonial depends upon all the facts and circumstances relating to the statement, “the use of ‘social plug-ins’ such as the ‘like’ button could be a testimonial under the Advisers Act.” [6]

Recordkeeping Requirements

The Risk Alert advises investment advisers that communicate through social media to retain records “of those communications if they contain information that satisfies [the adviser’s] recordkeeping obligations under the Advisers Act. In the staff’s view, the content of the communication is determinative.” [7] Accordingly, advisers using social media should consider reviewing their document retention policies to ensure that any required records generated by social media communications are retained as and where required by law. In reviewing their recordkeeping policies relating to social media, an adviser may want to consider each of the following:

  • Is the social media communication a required record and, if so, what is the applicable retention period and how accessible must the record be?
  • How will records created via social media be maintained – in electronic or paper format?
  • Are employees being trained about the recordkeeping requirements applicable to social media?
  • Are the records being arranged and indexed to promote easy location, access, and retrieval of a particular record?
  • Is the adviser periodically test checking (using key word searches or otherwise) to ascertain whether employees are complying with the recordkeeping requirements?
  • Are third parties keeping records consistent with the recordkeeping requirements?

Conclusion

In concluding, the Risk Alert expresses the staff’s hope that sharing observations from its review of advisers’ use of social media, as well as suggestions regarding factors advisers may wish to consider if using social media, is helpful to firms in strengthening their compliance and risk management programs.

 

Tamara K. Salmon
Senior Associate Counsel

endnotes

 [1] OCIE has issued three Risk Alerts to date. The previous two dealt with broker-dealer issues – i.e., “Master/Sub Accounts (Volume I, Issue 1, Sept. 29, 2010), which is available at http://www.sec.gov/about/offices/ocie/riskalert-mastersubaccounts.pdf; and “Broker-Dealer Branch Inspections” (Volume I, Issue 2, Nov. 30, 2011), which is available at http://www.sec.gov/about/offices/ocie/riskalert-bdbranchinspections.pdf.

 [2] See Risk Alert Volume II, Issue 1 (Jan. 4, 2012), which is available at  http://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf.

 [3] See Risk Alert at n. 4.

 [4] See Risk Alert at n. 10.

 [5] According to the Risk Alert, “The after-the-fact review of violative content days after it was posted on a firm’s social networking site, depending on the circumstances, may not be reasonable, particularly where social media content can be rapidly and broadly disseminated to investors and the markets.” See Risk Alert at p. 4.

 [6] See Risk Alert at p. 6.

 [7] See Risk Alert at p. 6.