Skip to main content

FINRA Provides Update on Sweep: Social Media Influencers, Customer Acquisition and Related Information Protection

February 2023

In September 2021, FINRA launched a targeted exam (sweep) to review firms’ practices related to their acquisition of customers through social media channels, as well as firms' sharing of customers’ usage information with affiliates and non-affiliated third parties. The first part of the review focuses on firms’ use of social media1 influencer and referral programs2 to promote their products and services and recruit new customers. The second part of the review addresses firms’ privacy notices (and options to opt-out) regarding the collection and sharing of their usage information.

This update summarizes selected practices FINRA has observed firms implement to this point in the sweep; not all firms in the sweep necessarily implemented each of the practices described below. These selected practices may help firms evaluate whether their practices and supervisory systems are reasonably designed to address risks related to social media influencer and referral programs. FINRA may provide additional information about our review at a later date.

This update, including the practices, does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws and regulations. Member firms may consider the information in this update in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some practices may not be relevant due to certain firms’ business models, size or practices.

I.     Social Media Influencer and Referral Programs

Firms may consider the following practices as they evaluate their social media influencer and referral programs, including whether their practices and supervisory systems are reasonably designed to address relevant risks:

  • Maintaining written supervisory procedures (WSPs) focusing on social media influencer and referral programs, including:
    • Differentiating between social media influencer and referral programs, including considering additional controls for social media influencers with a relatively large social media presence, as well as any additional requirements for programs managed by member firms, affiliates or marketing agencies;
    • Updating their WSPs on a regular basis and in response to program developments, regulatory changes or industry trends; and
    • Addressing program participants’ compensation.
  • Evaluating potential social media influencers’ background and prior public social media activities for compliance and reputational risks before admitting them into their social media influencer programs.
  • Providing training and defining permitted and prohibited conduct for social media influencers.
  • Maintaining records of social media influencer and referral program communications with the public consistent with applicable U.S. Securities and Exchange Commission (SEC) and FINRA recordkeeping obligations.
  • Addressing social media influencer- and referral program-related compliance and reputational risks and concerns.

II.     Privacy

Firms must comply with their obligations pursuant to Regulation S-P and other applicable laws, rules, and regulations for protecting customer nonpublic information (NPI) and are limited in disclosing customer NPI with non-affiliated third parties. Firms may consider other practices as appropriate as they evaluate whether their privacy program practices and supervisory systems are reasonably designed to address relevant risks and sharing of customers’ NPI with affiliates and non-affiliated third parties:

  • Maintaining WSPs addressing their obligations under Regulation S-P, including:
    • The general obligation to deliver privacy notices to customers no later than when members establish a customer relationship, and annually thereafter;
    • Protecting usage information for customers who opt out of information sharing; and
    • Collecting and sharing of customer usage information, including information collected using “cookies,” and sharing that information with third parties.
  • Including in their privacy notices to customers:
    • Categories of NPI they collect and share with third parties, including the categories of affiliated and non-affiliated third parties with whom the information is shared, among other applicable information items; and
    • Guidance from Regulation S-P’s model notice.
  • Permitting customers to opt out of information sharing with third parties and not sharing this information.
  • If the firm shares non-anonymized NPI with third parties, maintaining written agreements with those third parties limiting their use of that information consistent with Regulation S-P.

Additional Resources


1 As noted in the targeted exam letter, “social media” means any website or application that enables users to create and share content or participate in social networking – including but not limited to TikTok, Facebook, Instagram, YouTube, Twitter, StockTwits, Reddit and Twitch. “Social media influencers” or “influencers” means any third party with whom the firm contracts or compensates to provide Social Media Communications. “Social Media Communications” means any communication with the public, including the provision of any content or advertisement about or on behalf of the firm, made pursuant to an arrangement with a third party, through social media.

2 As noted in the targeted exam letter, “referral program” means any customer or account referral program offered or used by a firm through which individuals receive bonuses, rewards, incentives or other compensation for referring new customers to open accounts at the firm. We generally use the phrase “social media influencer program” to describe referral or other programs for individuals with a relatively large social media presence, who are compensated for promoting the firm’s products and services.