FINRA has issued a Regulatory Notice 11-39 (the “Notice”), in which it offers additional guidance on the use of social media. The Notice re-emphasizes the guidance FINRA issued in Regulatory Notice 10-06 (“Notice-10-06”), its first foray into issues relating to use of social media.1 Notice 11-39 offers some general instructions and provides answers (some helpful, some less so) to fourteen questions focusing on firms’ recordkeeping and supervisory duties when using social media for business communications.
FINRA’s central message is that, regardless of the medium used by a firm and its associated persons, the basic content standards, filing and approval, and supervision requirements contained in NASD Rule 2210 still apply, as do the recordkeeping requirements of SEC Rule 17a-4.
The Notice reiterates that firms must capture and retain ALL business communications consistent with SEC and FINRA rules. It does not matter on what type of device they were created (handheld, desktop, etc.), who owns the device (individual versus the firm) or how they were sent (paper, email, blog post, etc.). If the content of the message makes it a business communication, then the firm is responsible for retaining it. FINRA notes that a firm also must retain any third party posts on its website or on social media sites on which it or its representatives have created a presence if these posts are communications relating to the firm’s “business as such.” The retention requirement applies even though, as FINRA recognizes, in most cases third-party posts are not considered the firm’s own communications for the purposes of principal review or filing requirements in Rule 2210.2
To comply with this requirement, before permitting the use of a social media site, firms must determine how they intend to capture, retain and retrieve the communications. This is particularly important when the social media site itself cannot or will not keep records that would satisfy the firms’ recordkeeping requirements. A firm considering whether to use a vendor to assist with recordkeeping for its social media must conduct adequate due diligence to assess the vendor’s capabilities to assist the firm in complying with its regulatory requirements.
The Notice asks whether autobiographical information posted by an associated person (e.g., LinkedIn) is a business communication. However, the Notice does not provide a clear answer. Instead the Notice states that, at times, this information may not be relevant to the firm’s business — for example if it is posted by an associated person seeking employment — and would not need to be retained by the firm. However, if the posting contains a list of products or services offered by the firm, then it is a business communication that the firm must capture and retain. Most firms are likely to conclude that they should supervise and retain such autobiographical postings.
The Notice also discusses the use of personal electronic devices (iPhones, etc.) for business purposes. The Notice provides that firms may allow their associated persons to use personal devices to send business communications without capturing all communications (business and personal) sent through the device if the business communications are segregated by sending them only through specific firm-approved applications on the personal device. It is preferable, FINRA notes, if these applications provide “a secure portal to the firm’s own communication system.” The firm is not required to supervise or retain personal communications made through other applications on the same device. The Notice provides firms with some flexibility in managing these devices. Firms may, however, conclude that adequate supervision can best be achieved by limiting its associated persons’ ability to mix personal and business communications on a single device. With this in mind, the Notice also states that firms can choose to treat all communications on such a device as business communications.
The Notice emphasizes that before a firm allows an associated person to use a social media site for business purposes a registered principal must:
The Notice also advises firms that unscripted participation in an interactive electronic forum is a public appearance under the communications rules. As such, while those communications do not require prior principal approval, firms must adopt risk-based supervisory procedures, which might include training, as well as post-use review, sampling and lexicon-based searches of these interactions. That said, unlike other public appearances (e.g., radio interviews, live speeches or seminars) where a firm might not create a record of the appearance, the Notice clearly requires firms to retain these posts. Associated persons, therefore, should only be permitted to engage in interactive communications on platforms on which the firm is equipped to capture the posts. The Notice reconfirms that a static posting is an advertisement and therefore requires a registered principal to approve prior to the posting.
The Notice provides examples of what it states some firms do to comply with their supervisory obligations, including:
Firms should consider incorporating these examples into their supervisory procedures for social media. The Notice also states that firms should have supervisory procedures for data feeds used on the firm’s website. These supervisory procedures should address both due diligence at the time a data feed is first used, and regular review of these data feeds for any red flags regarding potential inaccuracies.
III. Third-Party Posts, Links and Websites
While the firms can control their own online conduct and, to some degree, the conduct of their associated persons, they have less ability to control posts made by third parties. In the Notice FINRA addresses several issues these communications pose.
First, FINRA addresses instances in which a third party posts a business-related communication, such as a question about a security, on an associated person’s personal social media site. Whether the associated person may provide a substantive response, according to FINRA, depends on the firm’s own policies — associated persons should only provide a substantive response if the firm’s policies allow use of personal sites for business purposes (and a firm in that case must supervise that use). If the firm’s policy prohibits business communications on personal social media sites, the Notice advises that some firms have provided their associated persons with a non-substantive pre-approved statement that the associated person may use to respond to such posts. Those statements direct the third party to other firm-approved channels, such as the firm’s website, or a firm email address.
Second, FINRA also reaffirms in the Notice that firms are not responsible for third-party posts unless they either “adopt” or become “entangled” with the posts. The theories of adoption and entanglement were discussed in Notice 10-06.3 The Notice makes it clear that deleting inappropriate third-party content does not mean that the firm has “adopted” all of the remaining third-party content.
Third-Party Links and Websites
FINRA notes that if a firm “co-brands” any part of a third-party site, such as by placing its logo prominently on the site, the firm is responsible for the content of the entire site. The Notice also reaffirms prior interpretive guidance regarding the use of hyperlinks. A firm is responsible for the content of a third-party site to which it provides a hyperlink if the firm knows that the site contains false or misleading information or the firm has adopted or become entangled with the content of the third party’s site. For example, by commenting favorably on and linking to an article on a third party’s site the firm may adopt the article and become responsible for its content. By contrast, a firm does not adopt the content of a site merely by linking to its homepage, if the firm has a reasonable basis to believe the site’s information is accurate.
With the increased usage of social media, firms should review their compliance with the communications and recordkeeping rules. In its guidance to the industry, FINRA’s message is clear — it expects firms to conduct adequate due diligence before permitting the usage of social media for business communications. Indeed, especially given the wide range of social media sites, firms also should consider how to conduct ongoing supervision of the use of the social media sites, and how to keep records about business-related communications on those sites.
For additional information concerning this alert, please contact the following lawyers:
1 See Bingham Alert, FINRA Issues Guidance on Social Media Web Sites, January 28, 2010.
2 As discussed in Bingham Alert, SEC Publishes FINRA Proposal for Complete Rewrite of Communications With the Public Rule, August 3, 2011, FINRA has proposed substantial changes to its communications with the public rules, and those proposed changes incorporate the social media guidance first provided in Notice 10-06.
3 See Bingham Alert, FINRA Issues Guidance on Social Media Web Sites, January 28, 2010.