The overall tone of regulatory guidance is fairly consistent. Firms need to adhere to all recordkeeping and supervisory requirements and have the appropriate processes and policies in place to ensure compliance. Anything short of that may generate negative regulatory scrutiny and possibly risk the reputation of the firm.
2. Insurance and Social Media: Understanding the Rules National Association of Insurance Commissioners
The tide of social media has reached the shores of the insurance industry. In addition to the SEC and FINRA (for those insurance firms who sell variable
Following in the footsteps of their broker-dealer brethren, insurance life and annuity products), insurance firms are also regulated by each of the
companies are beginning to utilize social to build brand awareness, enhance individual state insurance regulators. However, the National Association of
customer service, recruit new agents, enhance existing relationships, and Insurance Commissioners (NAIC) was created in 1871 to address the need to
identify and nurture prospective clients. However, as a regulated industry, coordinate regulation of multistate insurers. As a result, in 2011, the NAIC
insurance firms are taking a cautious approach when permitting agents to formed a working group to draft a white paper on “The Use of Social Media in
1
use social media. A lesson learned from regulators of the securities industry, Insurance”. Although still in draft form (as of December 2011), this document
such as the Securities and Exchange Commission and the Financial Industry still reveals hints on how the NAIC will treat social media in the future.
Regulatory Authority (FINRA) is that regulators consider social media as just
another form of electronic communications and should be treated as such. Supervision, Monitoring, and Training
Social media communications must align with existing regulations
This article takes a look at four sources of regulations to understand related to advertising, marketing, record retention, privacy, and consumer
the direction the insurance industry is heading with respect to social complaints. Firms must relay their internal policies to their appointed
media guidelines: producers and employ a risk-based approach to train users.
• A draft of a white paper issued by the National Association of
Content
Insurance Commissioners (NAIC)
• Firms are responsible for content posted to its own sites, for posts by
• Social media guidance issued by FINRA, which applies to broker-dealers
appointed producers (if attributed back to the firm), and possibly for posts
and registered representatives who sell variable life and annuity products
of third parties.
• SEC’s National Examination Alert, Investment Advisor Use of Social Media,
which applies to Investment Advisors and Registered Investment Advisors • Like FINRA’s guidance, content is considered either static or interactive.
Static content, i.e., content that remains posted until it is changed by
• Recent guidance from a state regulator (Massachusetts)
the author, must comply with state marketing and advertising regulations.
Interactive content, i.e., real-time communications, requires a more
“nuanced,“ or fact-based approach. Such content may not require filing
or approval prior to use. As a best practice, firms should develop workflows
that facilitate the pre-approval of static content and the supervision and
moderation of interactive content.
2 3 Insurance and Social Media | 3
3. Financial Industry Regulatory Authority (FINRA)
• According to existing “adoption” and “entanglement” theories, firms FINRA, regulator of broker-dealer firms in the securities industry, issued
2
may be responsible for third-party content, should an insurer/producer specific guidance for social media in January 2010 and then again in
3
be involved in the preparation of content or the implicit or explicit August of 2011. FINRA reiterated that there are no new rules. Instead,
endorsement of the third-party content. As a best practice, to avoid being firms are challenged to interpret how to apply these existing categories of
responsible for third-party content, firms often disable the use of “retweet” rules and regulations to social media:
or “favorite” within social media sites.
Recordkeeping
• Firms should adopt policies and controls to ensure content is accurate Firms must capture, save, and make easily available all written business
and timely and any product recommendations should comply with existing correspondence, including social media communications, such as updates,
state laws and regulations. As a best practice, firms need to design tweets, direct messages, from both business and personal devices. The content
risk-based supervisory procedures to ensure compliance with content is determinative. Timeframes vary, but in some cases, these communications
standards that may include sampling and lexicon-based automated need to be archived for at least five years. As a best practice, since social
searches, typically by working with a third party. media sites do not offer this capability natively, firms are challenged to find
another solution, typically by working with a third-party vendor(s).
Recordkeeping Requirements
Firms must maintain books and records so that examiners may readily Suitability
determine compliance with rules and regulations. When an insurer is Broker-dealers must ensure that recommendations registered representatives
responsible for content, it must comply with individual state record retention (RRs) make to their clients are suitable for each investor. That means that
requirements. As a best practice, as native social media sites do not provide the RRs must know their customers’ investment objectives and risk tolerance
retention or retrieval capabilities, firms typically work with third-party at that moment in time. As a best practice, firms typically prohibit
vendors to meet recordkeeping requirements. recommending specific products, unless a registered principal of the
firm has approved the communication.
Communications with the Public
Firms need to adhere to content standards for all communications.
For example, they must disclose all the facts, cannot be misleading, nor can
guarantee results. Testimonials are only allowed in certain circumstances
for RRs. As a best practice, firms typically monitor communications to make
sure content standards are being adhered to and also disable the ability to
make recommendations and, in some cases, to “like.”
5 Insurance and Social Media | 5
4. Firms also need to make sure communications are reviewed, either before or Supervision
after they are made public, depending on how they are categorized and on As with any type of electronic communications (such as email or instant
the content. Static content, such as an advertisement, brochure, or profile messages), firms must demonstrate that they are supervising communications
on a social media site, needs to be pre-approved by a registered principal of to ensure adherence with content standards. Regulators do not specify
the firm before it is made public. However, interactive communications, such what percentage of communications must be reviewed. Instead, FINRA
as real-time interactions, may not require pre-approval, but a pre-determined allows firms to use a risk-based approach, i.e., firms create supervision
percentage of them must be supervised. Both static and interactive com- policies based on their own tolerance for risk, the type of content, plus
munications must meet content standards and be supervised. Furthermore, compliance history of staff. However, FINRA does specify those associated
all communications must be captured and retained. As a best practice, as persons who use social media must first receive training. As a best practice,
communications rules are fairly complex and their interpretation is evolving, firms develop and follow risk-based written supervisory procedures to ensure
firms typically confer with their compliance department to develop processes processes are in place to pre-approve static and product-related content.
for review and approval of content, either before it is posted or after, depending For interactive content that does necessarily require pre-approval, firms
4
on the content of the communications and the firm’s risk tolerance. determine how, when, and what percentage of content will be reviewed and
then develop training programs for everyone who will be using social media.
Firms are not responsible for third-party content unless they have involved
themselves in the preparation of the content or explicitly or implicitly en-
dorsed or approved the content. As a best practice, firms should establish
and publish usage guidelines for customers and other third parties that are
permitted to post on firm-sponsored websites. Firms should also monitor and
block inappropriate third-party content and provide disclaimers regarding
its responsibility for third-party posts. As retweeting, “liking,” or marking as
“favorite” could be considered an endorsement of the post, firms typically
block these capabilities.
6 | Insurance and Social Media 7 Insurance and Social Media | 7
5. The Securities and Exchange Commission (SEC)
On January 4, 2012, the SEC issued the National Examination Risk Alert, Third-Party Postings
5
Investment Advisor Use of Social Media . SEC staff of the Office of Compliance The SEC further states that firms which allow third-party postings on their
Inspections and Examinations stated that firms’ use of social media must social media sites should develop policies about these third-party posts,
comply with federal securities laws, including anti-fraud provisions, particularly testimonials. Whether a third-party posting is a testimonial
compliance provisions, and recordkeeping. Furthermore, the SEC noted depends on all the “facts and circumstances,” however, SEC staff interprets
that many firms have overlapping procedures that apply to advertisements, the term to include clients’ experiences with, or endorsement of, an IA.
i.e., client communications which may or may not include social media. Therefore, the use of “social plug-ins” such as the “Like” button could be
They warned that this lack of specificity creates confusion. The SEC also interpreted as a testimonial under the Advisers Act, if it’s an explicit or
stated that firms should identify risks and then test whether their in-house implicit statement of a client’s experience with an advisor. In cases where
policies and procedures effectively address these risks. social media sites do not allow the ability to disable “Like” or similar
features, RIAs should develop a system to monitor and remove certain third-
Factors to Consider Before Implementing Social Media party postings. Best Practice: to avoid the interpretation of a testimonial,
The SEC identified thirteen factors that an investment advisor may want firms typically disable “Like” and “Recommendations” when possible.
to consider when evaluating the effectiveness of its compliance program.
Factors include clearly establishing usage guidelines, thinking through Recordkeeping
how you will monitor social media sites as well as how often. For example, The final section of the alert concerns recordkeeping. The existing Advisers
the SEC warned that due to the viral nature of social media, post-review Act defines recordkeeping requirements for IAs. In short, like FINRA and
(e.g., days later) may not be sufficient. The SEC also suggests that firms IIROC in Canada, the SEC does not treat social media any differently than
design and implement workflows for pre-approving content and to train and any other written communications, such as emails or instant messages.
certify investment advisors on the use of social media. Also important, firms Furthermore, like the other regulators, content is determinative – meaning that
should determine in advance whether there are enough resources dedicated the content will determine the recordkeeping requirements. The SEC and the
to monitoring activity. Like other regulators, such as FINRA and the Invest- other regulators are only interested in business communications “as such.”
ment Industry Regulatory Organization of Canada (IIROC), the SEC points All social media communications (e.g., status updates, direct messaging,
out the importance of training and suggests examining the functionality texting, etc.) must be retained and be easily available for inspection for at
of each social media site to ensure client privacy. The SEC made special least five years. The SEC also states that firms should conduct employee train-
mention about the risks of data security, as social media can render ing programs specifically for recordkeeping requirements and do spot checks
firms more vulnerable to data leakage and malware. Best Practice: the to ensure employees are complying with the policies. These records should be
SEC suggests that each firm identify and thoughtfully think through the indexed in such a way that they are easily retrievable. Best Practice: as the
compliance factors that may create risk for the firm and then test whether SEC suggests, firms should consider using third parties for record retention.
existing policies and procedures address or mitigate those risks.
8 | Insurance and Social Media 9 Insurance and Social Media | 9
6. Massachusetts Issues Regulatory Guidance
on Social Media Summary
Early in 2012, the Massachusetts Securities Division of the Commonwealth Although there are subtle, but important, differences in the interpretation of
6
of Massachusetts provided regulatory guidance on social media. While the rules (e.g., pre- and post-approval of content, the use of testimonials, and
Division’s alert applies only to state-registered investment advisors, it is circumstances where firms are responsible for third-party content) across all
worth noting as regulators tend to look to each other when issuing guidance the regulators, the overall tone of regulatory guidance is fairly consistent.
on new areas of compliance. The essence of this guidance echoes SEC, Firms need to adhere to all recordkeeping and supervisory requirements and
FINRA and NAIC: have the appropriate processes and policies in place to ensure compliance.
Anything short of that may generate negative regulatory scrutiny and
•• Social media is considered advertising and subject to applicable
possibly risk the reputation of the firm.
regulatory requirements.
•• Recordkeeping obligations under the Adviser’s Act and other applicable
Massachusetts regulations includes content on social media sites.
•• According to adoption and entanglement theories discussed above, firms
may be responsible for third-party content.
•• Testimonials are prohibited.
•• Full and fair disclosure of all material information relating to advertised
performance is required. Investment advisors are advised to consider the
appropriateness of social media for performance advertising.
•• Firms must establish and maintain a system to supervise the activities of
investment advisors and other employees to ensure compliance.
10 | Insurance and Social Media 11 Insurance and Social Media | 11
7. Best Practices Overview
• Firms should develop workflows that facilitate the pre-approval of • Firms should establish and publish usage guidelines for customers
static content and the supervision and moderation of interactive content. and other third parties that are permitted to post on firm-sponsored
websites. Firms should also monitor and block inappropriate third-party
• To avoid being responsible for third-party content, firms often disable the content and provide disclaimers regarding its responsibility for third-party
use of “retweet” or “favorite” within social media sites. posts. As retweeting, “liking,” or marking as “favorite” could be considered
an endorsement of the post, firms typically block these capabilities.
• Firms need to design risk-based supervisory procedures to ensure
compliance with content standards that may include sampling and • Firms develop and follow risk-based written supervisory procedures
lexicon-based automated searches, typically by working with a third party. to ensure processes are in place to pre-approve static and
product-related content.
• As native social media sites do not provide retention or retrieval
capabilities, firms typically work with third-party vendors to meet • For interactive content that does necessarily require pre-approval,
recordkeeping requirements. firms determine how, when, and what percentage of content will be
reviewed and then develop training programs for everyone who will
• Since social media sites do not offer recordkeeping capabilities natively, be using social media.
firms are challenged to find another solution, typically by working with
a third-party vendor(s). • The SEC suggests that each firm identify and thoughtfully think
through the compliance factors that may create risk for the firm and
• Firms typically prohibit recommending specific products, unless a then test whether existing policies and procedures address or
registered principal of the firm has approved the communication. mitigate those risks.
• Firms typically monitor communications to make sure content • To avoid the interpretation of a testimonial, firms typically disable
standards are being adhered to and also disable the ability to make “Like” and “Recommendations” when possible.
recommendations and, in some cases, to “like.”
• As the SEC suggests, firms should consider using third parties for
• As communications rules are fairly complex and their interpretation record retention.
is evolving, firms typically confer with their compliance department to
develop processes for review and approval of content, either before
it is posted or after, depending on the content of the communications
and the firm’s risk tolerance.
12 | Insurance and Social Media 13 Insurance and Social Media | 13
8. Socialite References
The Socialite platform helps organizations protect their brand and ensure
1
http://www.naic.org/documents/committees_d_social_media_exposures_111201_whitepaper_draft_social_
media.pdf
compliance while allowing employees to share relevant content, measure
2
FINRA Regulatory Notice 10-06, “Guidance on Blogs and Social Networking Web Sites,”
impact, and increase engagement. Socialite controls access to more than http://www.finra.org/Industry/Regulation/Notices/2010/P120760
200 features across social networks but can also moderate, manage, 3
FINRA Regulatory Notice 11-39, “Guidance on Social Networking Websites and Business Communications”
and archive any social mediatraffic routed through the solution. http://www.finra.org/Industry/Regulation/Notices/2011/P124187
4
For more information detailed recommendations, see Actiance Addressing FINRA Regulations for
Social Media
5
SEC National Examination Alert, Investment Advisor Use of Social Media http://www.sec.gov/about/offices/
About Actiance ocie/riskalert-socialmedia.pdf
6
http://www.sec.state.ma.us/sct/sctpdf/The%20Use%20of%20Social%20Media%20by%20Investment%20
Advisers.pdf
Actiance helps organizations manage, secure and ensure compliance across
unified communications, collaboration, and Web 2.0 applications such
as blogs, wikis and social networks. Actiance’s award-winning platforms
are used by 9 of the top 10 US banks and nearly 300 FINRA-regulated firms
firms globally. The Actiance platform allows organizations to gain visibility
of applications in use, apply usage and content policies, ensure compliance,
and gain valuable insights across the communications and collaboration
channels in use. Actiance supports all leading social networks, unified
communications, and collaboration providers and IM platforms, including
Facebook, LinkedIn, Twitter, Google, Yahoo!, AOL, Skype, Cisco, Microsoft,
Jive, and IBM. Actiance is headquartered in Belmont, California.
For more information, visit www.actiance.com or call 1-888-349-3223.
14 | Insurance and Social Media 15 Insurance and Social Media | 15