Skip to main content

For updates and guidance related to COVID-19 / Coronavirus, click here.

Social Media Influencers, Customer Acquisition, and Related Information Protection

September 2021

FINRA is conducting a review of firm practices related to the acquisition of customers through social media channels and how firms manage their obligations related to information collected from those customers and other individuals that may provide data to firms. Please note that each item requested is specific to the subsection header.

Unless otherwise noted, the relevant period for each request is January 1, 2020 through [Date, 2021] (the “Relevant Period”). In addition, if your response varies over the Relevant Period, please explain the differences in your response. 

Definitions:

“Social Media” means any website or application that enables users to create and share content or participate in social networking. It includes, but is not limited to, TikTok, Facebook, Instagram, YouTube, Twitter, StockTwits, Reddit, and Twitch.

“Social Media Communications” means any communication with the public, including the provision of any content or advertisement about or on behalf of the firm, made pursuant to an arrangement with a third party, through Social Media. 

“Referral Program” means any customer or account referral program offered or used by the firm through which individuals receive bonuses, rewards, incentives, or other compensation for referring new customers to open accounts at the firm.

“Social Media Influencers” or “Influencers” means any third party with whom the firm contracts or compensates to provide Social Media Communications.

“Nonpublic Personal Information (NPI)” is defined as that term is defined in 17 CFR § 248.3.

“Cookie” means any data generated by a website or mobile application about a user and then saved.

Social Media Influencers

  1. Describe whether the firm, or its affiliate(s) on its behalf, finds and/or contracts with individuals or entities to provide Social Media Communications. If the firm engaged in such activity:
     
    1. Describe how the firm finds and/or contracts with individuals or entities to provide Social Media Communications, including whether and how the firm uses third parties, vendors, or services to find, contract, and/or compensate individuals or entities for Social Media Communications.
       
    2. Provide any engagement letters, contracts, agreements, or any other written, or offered arrangements in which the firm (or any affiliate of the firm) contracted to compensate individuals or entities to provide Social Media Communications. Please include any amendments to those engagement letters, contracts, agreements, or written arrangements.
       
    3. Describe and identify any individuals or entities with which the firm (or any affiliate of the firm) maintains any non-written agreements, or offers, to compensate individuals or entities to provide Social Media Communications.
       
    4. For the Relevant period, provide all Social Media Communications about the firm distributed or made available by individuals or entities identified above. A complete response to this request will include: (1) any Social Media Communications posted by the firm on the Influencer’s social media account(s) and (2) any Social Media Communications the Influencer posted on any social media platform about the firm. 
             
    5. Provide a numbered tabular list identifying each Social Media Communication provided pursuant to Item 1(d) above. Please also include the date the Social Media Communication was first made available to the public and whether or not the Social Media Communication was filed with FINRA’s Advertising Regulation Department. If the Social Media Communication was filed, include the FINRA Advertising Regulation reference number for the communication.
       
    6. State whether each Social Media Communication provided pursuant to Item 1(d) above was approved by a registered principal of the firm. If so, provide records that reflect such approvals.
       
  2. Describe the criteria the firm uses to identify potential Influencers to recruit as well as any background information or other characteristics, if any, the firm considers when avoiding  the use of particular Influencers.
     
  3. Provide copies of any firm social media postings, website content, emails or other communications designed to recruit individuals to post Social Media Communications regarding or on behalf of the firm.

Referral Programs:

  1. Describe whether the firm, or its affiliate(s) on its behalf, offered Referral Programs) during the Relevant Period. If the firm engaged in such activity, describe:
     
    1. The time period during which the Referral Program was or is in effect;
       
    2. The terms of the Referral Program;
       
    3. Eligibility requirements;
       
    4. Any restrictions concerning the Referral Program;
       
    5. Compensation, benefits, or bonuses offered through the Referral Program and the methodology for determination;
       
  2. Provide copies of any firm social media postings, website content, emails, or other communications designed to recruit individuals, including Firm customers, to participate in any Referral Program identified in response to Request 4 above.

General Information related to Social Media Influencers and Referral Programs:

If the firm answered affirmatively to Request nos. (1) or (4):

  1. Provide all versions of the firm’s written supervisory procedures that were in effect at any time during the Relevant Period relating to:
     
    1. Social media communications by outside parties relating to the firm, including the method by which the firm supervises such activity;
       
    2. Use of marketing affiliates or relationships to refer new customers to the firm; and
       
    3. Referral Programs.
       
  2. Provide any compliance policies, manuals, training materials, compliance bulletins, and any other written guidance in effect for any portion of the Relevant Period concerning Social Media Communications, use of marketing affiliates, and Referral Programs.

  3. Describe how the firm maintains records of Social Media Communications created by Influencers as well as Social Media Communications made by the individuals or entities participating in its Referral Programs.
     
  4. State whether the firm required Influencers, or the individuals or entities participating in its Referral Programs -- to attend trainings and/or educational courses prior to providing Social Media Communications in connection with the firm. If the answer is in the affirmative, provide a detailed explanation of the firm’s requirements, the training and/or educational courses required, and the firm’s method for tracking completion by Influencers and participants in the Referral Programs. Please identify which training and/or educational courses were for Influencers and which were for the Referral Program.
     
  5. Provide copies of any policies, manuals, training materials, compliance bulletins, and any other written guidance provided to Influencers as well individuals or entities participating in the firm’s Referral Program. Please identify which material was provided to Influencers and which was provided to Referral Program participants.

Items related to Regulation S-P and Usage Information:

  1. Provide the firm’s written supervisory procedures concerning its compliance with the SEC’s Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information (Regulation S-P). Include a description of the firm’s supervisory system during the Relevant Period concerning compliance with Regulation S-P with regard to the collection of Cookies obtained from customers, or individuals who provide NPI but are not onboarded as customers.
     
  2. Provide all versions of all initial privacy notices, see 17 CFR § 248.4, that the firm used at any time during the Relevant Period.
     
  3. To the extent not provided in response to the prior request, provide all versions of all opt-out notices, see 17 CFR § 248.7, that the firm used at any time during the Relevant Period.
     
  4. Provide all versions of all annual privacy notices, see 17 CFR § 248.5, that the firm used at any time during the Relevant Period.
     
  5. Provide any desk top procedures, compliance policies, manuals, training materials, compliance bulletins, and any other written guidance in effect for any portion of the Relevant Period concerning the sharing of any customer NPI with any third party.
     
  6. Provide any desk top procedures, compliance policies, manuals, training materials, compliance bulletins, and any other written guidance in effect for any portion of the Relevant Period concerning individuals’ ability to opt-out of information sharing.
     
  7. Describe all types of data the firm tracks (or has tracked at any time during the Relevant Period), through the use of a Cookie or otherwise, in connection with its customers’ usage of (a) the firm’s website and/or (b) the firm’s mobile application (collectively "Usage Information"). Include individuals who provide NPI but are not onboarded as customers.
     
  8. Provide a list of all non-affiliated third parties with which the firm or any affiliate of the firm shares (or has shared at any time during the Relevant Period) any Usage Information.1 In addition, for each third party, provide the following information:
     
    1. A list of each type of Usage Information shared with that third party;
       
    2. Whether the data shared with the third party is anonymized;
       
    3. The firm’s understanding of the third party’s intended use of the Usage Information;
       
    4. How or to what extent the third party restricts access to Usage Information and describe the controls in place;
       
    5. The number of individuals whose Usage Information the firm or any affiliate of the firm shared with that third party during the Relevant Period;
       
    6. All written contracts or agreements between the firm (or, if applicable, the firm’s affiliated entity) and the third party concerning any Usage Information in force at any time during the Relevant Period; and
       
    7. Any compensation or benefit (including but not limited to monetary payments, reductions of amounts otherwise due, reciprocal sharing of information, and/or other non-monetary benefit) received by the firm or any of the firm’s affiliated entities in any way related to the sharing of any Usage Information with that third party.
       
  9. Provide any disclosures the firm provided to customers during the Relevant Period concerning any Usage Information shared with non-affiliated third parties and whether individuals identified in response to item 18 consented to the sharing of Usage Information.
     
  10. Provide any exception reports or any other memoranda that reflect instances during the Relevant Period in which the firm failed to comply with Regulation S-P as a result of its sharing of Usage Information with any non-affiliated third party. Provide copies of all documents concerning the firm’s identification, investigation, and/or reporting of any such instances, or concerning the firm’s consideration of whether to report the same.

1 Exclude from your response to this request any Usage Information shared with: any state, federal, or foreign regulator or other governmental entity; any self-regulatory organization; law enforcement; any clearing firm; any other financial institution pursuant to Section 314(b) of the USA PATRIOT Act; any party in response to a subpoena, court order, or discovery request; the customer or any other party as requested by the customer; or any other sharing mandated by law.