Social Media Websites and the Use of Personal Devices for Business Communications
Referenced Rules & Notices
SEA Rule 17a-3
SEA Rule 17a-4
Communications With the Public
Personal Electronic Devices
Social Networking Websites
In January 2010, FINRA issued Regulatory Notice
[10-06], providing guidance on the application of FINRA rules governing communications with the public to social media sites and reminding firms of the recordkeeping, suitability, supervision and content requirements for such communications. Since its publication, firms have raised additional questions regarding the application of the rules. This Notice responds to these questions by providing further clarification concerning application of the rules to new technologies. It is not intended to alter the principles or the guidance provided in Regulatory Notice [10-06].
Questions concerning this Notice may be directed to:
• Joseph E. Price, Senior Vice President, Advertising Regulation/Corporate Financing, at (240) 386-4623;
• Thomas A. Pappas, Vice President, Advertising Regulation, at (240) 386-4553; or
• Amy Sochard, Director, Advertising Regulation, at (240) 386-4508.
The obligations of a firm to keep records of communications made through social media depend on whether the content of the communication constitutes a business communication. Rule 17a-4(b) under the Securities Exchange Act of 1934 (SEA) requires broker-dealers to preserve certain records for a period of not less than three years, the first two in an easily accessible place.1 Among these records, pursuant to SEA Rule 17a-4(b)(4), are "[o]riginals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such, including all communications which are subject to rules of a self-regulatory organization of which the member, broker or dealer is a member regarding communications with the public."2 The SEC has stated that the content of an electronic communication determines whether it must be preserved.3
[Rule 3010] requires each firm to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable federal securities laws and FINRA rules. As part of this responsibility, a registered principal must review prior to use any social media site that an associated person intends to employ for a business purpose. The registered principal may approve use of the site for a business purpose only if the registered principal has determined that the associated person can and will comply with all applicable FINRA rules, the federal securities laws, including recordkeeping requirements, and any additional requirements established by the firm.
The registered principal must review an associated person's proposed social media site in the form in which it will be "launched." Some firms require a registered principal to review the first posting by an associated person on an interactive forum within the site. This approach can help to ensure that the registered principal will be reviewing not only the initial communication, but the social media site itself in its completed design.
FINRA considers unscripted participation in an interactive electronic forum to come within the definition of "public appearance" under NASD
[Rule 2210]. Public appearances do not require prior approval by a registered principal. Firms may adopt risk-based supervisory procedures utilizing post-use review, including sampling and lexicon-based search methodologies, of unscripted participation in an interactive electronic forum. The procedures a firm adopts must be reasonably designed to ensure that interactive electronic communications do not violate FINRA or SEC rules, including the content requirements of NASD [Rule 2210], such as the prohibition on misleading statements or claims and the requirement that communications be fair and balanced. A static posting is deemed an "advertisement" under NASD [Rule 2210] and therefore requires a registered principal to approve the posting prior to use.4
3. Links to Third-Party Sites
Firms may not establish a link to any third-party site that the firm knows or has reason to know contains false or misleading content. A firm should not include a link on its website if there are any red flags that indicate the linked site contains false or misleading content. Additionally, a firm is responsible under NASD
[Rule 2210] for content on a linked third-party site if the firm has adopted or has become entangled with its content. For example, a firm may be deemed to have "adopted" third-party content if it indicates on its site that it endorses the content on the third-party site. A firm could be deemed to have become "entangled" with a third-party site if, for example, it participates in the development of the content on the third-party site.
4. Data Feeds
Firms must adopt procedures to manage data feeds into their own websites. FINRA is aware of situations in which firms have received data feeds that were inaccurate. Firms must be familiar with the proficiency of the vendor of the data and its ability to provide data that is accurate as of the time it is presented on the firm's website. Firms also must understand the criteria followed by vendors in gathering or calculating the types of data that the firm intends to feed into its website, in order to determine whether the vendor is performing this function in a reasonable manner.5 Firms also should regularly review aspects of these data feeds for any red flags that indicate that the data may not be accurate, and should promptly take necessary measures to correct any inaccurate data.
Questions & Answers
Q1: Does determining whether a communication is subject to the recordkeeping requirements of SEA Rule 17a-4(b)(4) depend on whether an associated person uses a personal device or technology to make the communication?
A1: SEA Rule 17a-4(b)(4) requires a firm to retain records of communications that relate to its "business as such." Whether a particular communication is related to the business of the firm depends upon the facts and circumstances. This analysis does not depend upon the type of device or technology used to transmit the communication, nor does it depend upon whether it is a firm-issued or personal device of the individual; rather, the content of the communication is determinative. For instance, the requirement would apply if the electronic communication was received or sent by an associated person through a third-party's platform or system. A firm's policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.
Q2: When an associated person posts autobiographical information, such as place of employment or job responsibilities, does this information constitute a business communication?
A2: As discussed in question 1 above, firms must develop policies and procedures that include training regarding the difference between business and non-business communications to enable appropriate compliance. In certain contexts, such as sending a resume to a potential employer, the communication could be viewed as not relevant to the business of the firm. In other contexts, such as posting a list of products or services offered by the firm, the communication likely will be viewed as a business communication.
Q3: May a firm or associated person sponsor a social media site or use a communication device that includes technology which automatically erases or deletes the content?
A3: No. Technology that automatically erases or deletes the content of an electronic communication would preclude the ability of the firm to retain the communications in compliance with their obligations under SEA Rule 17a-4. Accordingly, firms and associated persons may not sponsor such sites or use such devices.
Q4: Do the recordkeeping requirements apply to third-party posts to a firm or an associated person's social media sites if the firm or the individual has not adopted or become entangled with the post?
A4: Regulatory Notice
[10-06] addresses the application of NASD [Rule 2210] to third-party posts on a social media site established by a firm or its associated persons. Unless the firm or its associated persons have adopted or become entangled with the post, FINRA generally does not treat third-party posts as the firm's or its associated persons' communications under the rule. The recordkeeping requirements, however, require retention of the records of all communications received by a firm or its associated persons relating to its business as such.
Q5: Do the recordkeeping requirements differ for static and interactive communications?
A5: They do not—the recordkeeping requirements are governed by the content of the communication. As noted above, the FINRA supervision requirements differ for static and interactive communications.
Q6: Can interactive content become static?
A6: Yes. For example, interactive content could be copied or forwarded and posted in a static forum, such as a blog or static area of a Web page, in a manner that renders it static content. It then would constitute an advertisment under NASD
[Rule 2210], requiring prior approval by a registered principal of the firm.
Q7: What measures should a firm adopt to monitor compliance with its social media policies?
A7: A firm must conduct appropriate training and education concerning its policies, including those relating to social media. Firms must follow up on "red flags" that may indicate that an associated person is not complying with firm policies. Some firms require each associated person to certify on an annual or more frequent basis that the associated person is acting in a manner consistent with such policies. When feasible, some firms also have chosen to randomly spot check websites to help them monitor compliance with firm policies.
Q8: Must material changes to static content posted by a firm or its associated persons on a social media site that contains business communications receive prior approval by a registered principal?
[Rule 2210](1)(b) requires a registered principal to approve each advertisement and item of sales literature before the earlier of its use or filing with FINRA's Advertising Regulation Department. NASD [Rule 2210](c)(8) excludes from the filing requirements any advertisement or sales literature that previously had been filed and that is to be used "without material change." Firms are expected to adopt procedures requiring prior registered principal approval of any advertisement or sales literature that has been materially changed, even if it had been previously approved in an earlier version. For example, changes in the description of the advantages of investing in the advertised product or of its risks would typically require registered principal prior approval. Since static content posted by a firm or its associated persons on a social media site that contains business communications is considered to be an advertisement, these procedures must apply to such static content.
Third-Party Posts, Third-Party Links and Websites
Q9: If a third party posts a business-related communication, such as a question about a security, on an associated person's personal social media site, may the associated person respond to the communication?
A9: Yes, provided that the response does not violate the firm's policies concerning participation on a personal social media site. If a firm has a policy that associated persons may not use a personal social media site for business purposes, then a substantive response by the associated person would violate this policy.6 Some firms permit a non-substantive response, and pre-approve statements that their associated persons may make to respond to such posts and that direct the third party to other firm-approved communication media, such as the firm's email system.
Q10: To what extent is a firm responsible for any third-party website that the firm or its associated person "co-brands"?
A10: Under NASD
[Rule 2210], a firm that co-brands any part of a third-party site, such as by placing the firm's logo prominently on the site, is responsible for the content of the entire site. Under these circumstances, FINRA considers the firm to have adopted the content on that site. A firm is responsible under NASD [Rule 2210] for content on a linked third-party site if the firm has adopted or become entangled with its content. Regulatory Notice [10-06] describes the "adoption" and "entanglement" theories as they apply to third-party posts on a firm's social media sites. FINRA considers a firm to have adopted content in a third-party post if the firm or its personnel explicitly or implicitly endorse or approve the post.
Q11: When is a firm not responsible for the content on a third-party site to which it links?
A firm may establish a link to the site of an independent third party without assuming responsibility for the content of that site under NASD
• the firm does not "adopt" or become "entangled" with the content of the third-party site; and
• the firm does not know or have reason to know that the site contains false or misleading information.
Q12: If firm policy requires deletion of inappropriate third-party content, will the firm be considered to have adopted any third-party posts that are not deleted?
A12: No. The fact that the firm has a policy of routinely blocking or deleting certain types of content in order to ensure the content is appropriate would not mean that the firm had adopted the content of the posts left on the site. For example, most firms using social media sites block or screen offensive material. Such a policy would not indicate that the firm has adopted the remaining third-party content.
Q13: Does NASD Rule 2210 require firms to approve or maintain records of statistical information that the firm has regularly updated on its website?
[Rule 2210](b)(1) requires that a registered principal approve each advertisement and item of sales literature prior to use or filing with FINRA's Advertising Regulation Department. NASD [Rule 2210](b)(2) requires firms to maintain all advertisements and sales literature, including the names of the persons who prepared them or approved their use, for a period beginning on the date of first use and ending three years from the date of last use.
Statistical information that is posted on a firm's website would be considered an "advertisement" subject to the approval and recordkeeping requirements of NASD Rules
(b)(1) and (2). However, some firms establish templates for the presentation of this data, and subject these templates to those provisions. The data that is fed into the website in accordance with such a template would not be subject to the requirements of NASD Rules (b)(1) and (2). The firm must have procedures reasonably designed to ensure that the data can be verified to ensure that it is timely and accurate, and that the firm can promptly correct data that is erroneous when posted or becomes inaccurate over time.
Accessing Social Media Sites From Personal Devices
Q14: May associated persons use personal communication devices and other equipment, such as a smart phone or tablet computer, to access firm business applications and perform business activity if the firm employs technology that enables the firm to keep records and supervise the activity?
A14: Yes. Firms may permit their associated persons to use any personal communication device, whether it is owned by the associated person or the firm, for business communications. FINRA recognizes that the development of new technologies can facilitate the ability of associated persons to perform their responsibilties and, in the case of registered representatives, to serve their clients. Of course, the firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.
In order to ensure that the business communications are readily retrievable without necessitating the capture of personal communications made on the same device, firms should have the ability to separate business and personal communications, such as by requiring that the associated persons use a separately identifiable application on the device for their business communications. If possible, this application should provide a secure portal into the firm's own communication system, particularly if confidential customer information may be shared. If the firm has the ability to separate business and personal communications, and has adequate electronic communications policies and procedures regarding usage, then the firm is not required to supervise the personal emails made on these devices. Of course, firms also are free to treat all communications made through the personal communication device as business communications.
1 SEA Rule 17a-4(f) permits broker-dealers to maintain and preserve these records on "micrographic media" or by means of "electronic storage media," as defined in the rule and subject to a number of conditions.
2See also NASD
[Rule 2210](b)(2) (requiring the retention of all advertisements, sales literature and independently prepared reprints), NASD [Rule 2211](b)(2) (requiring the retention of institutional sales material) and NASD [Rule 3010](d)(3) (requiring the retention of correspondence of registered representatives).
3See Reporting Requirements for Brokers or Dealers under the Securities Exchange Act of 1934, SEC Rel. No. 34-38245 (Feb. 5, 1997).
4 FINRA has filed with the SEC a proposed rule change that would replace most of the NASD and NYSE rules governing communications with the public with a series of new FINRA rules. See SR-FINRA-2011-035. Among other changes, the term "advertisement" would be subsumed within a new communication category, "retail communication."
5Cf., Regulatory Notice
[08-77] (Dec. 2008) (Customer Account Statements) (discussion of "data vendors"). See also Notice to Members (NTM) [05-48] (July 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers); Regulatory Notice [11-14] (March 2011) (FINRA Requests Comment on Proposed New FINRA Rule 3190 to Clarify the Scope of a Firm's Obligations and Supervisory Responsibilities for Functions or Activities Outsourced to a Third-Party Service Provider).
6 Of course, if the firm permits business-related communications on a personal social media site, then the firm must supervise that site for compliance with applicable rules and the federal securities laws.