FINRA issued Regulatory Notices 10-06 and 11-39 to provide guidance to broker-dealers on using social media. 10-06 defines communications on social media into categories like advertisements, sales literature, and public appearances. 11-39 clarifies recordkeeping, supervision, and responsibility for third-party content. The document maps features of Facebook, LinkedIn and Twitter to these rules and provides recommendations. It also outlines policies, procedures and records regulators examine regarding social media use.
2. Contents
Executive Summary...........................................................................3
Regulatory Notice 10-06....................................................................3
Definitions .......................................................................................4
Categories of Electronic Communications............................................4
Regulatory Notice 10-06 Provisions ...................................................5
Regulatory Notice 11-39....................................................................6
Regulatory Notice 11-39 Provisions ....................................................6
Key Social Media Sites.......................................................................8
Facebook .........................................................................................8
LinkedIn ..........................................................................................8
Twitter .............................................................................................8
Mapping Features to 10-06 and 11-39...............................................9
Facebook..........................................................................................9
LinkedIn.........................................................................................11
Twitter............................................................................................12
FINRA Examiners’ Checklist.............................................................13
Policies .........................................................................................13
Procedures.....................................................................................13
Recordkeeping................................................................................14
About Actiance, Inc.........................................................................16
| Privacy Controls for Facebook
3. Executive Summary
The Financial Industry Regulatory Authority (FINRA) issued Regulatory
Notice 10-06 in January 2010 to provide guidance to broker-dealers
regarding the use of social media for advertising. As social media is
relatively new in the financial services industry, firms are trying to better
understand how they can use social media effectively. A task force
convened early in 2011 to revisit 10-06, resulting in the issuance of
Regulatory Notice 11-39 in August 2011 as a corollary to 10-06.
This handbook is intended as a primer on Regulatory Notices 10-06 and
11-39 and how each relates to social media sites like Facebook, LinkedIn,
and Twitter. Additionally, the handbook details how the key features of
these sites map to 10-06 and 11-39, what the appropriate course of
action should be, and what kinds of issues FINRA regulators are most
interested in when conducting their audits. This handbook has also been
updated to include FINRA Rule 2210, which went into effect February 4,
2013.
Regulatory Notice 10-06
FINRA Regulatory Notice 10-06 is the key piece of guidance on the
use of social media for advertising purposes. With the increasing
popularity and use of social networking sites like Facebook, LinkedIn,
and Twitter, the industry felt it was necessary to issue guidance specific
to social media. With the availability of such guidelines, broker-dealers
and registered representatives (RRs) now have more clarity into the
permissible uses of social media and the associated supervisory and
recordkeeping requirements.
Using Social Media | 3
4. Definitions
When FINRA issued Regulatory Notices 10-06 and 11-39, there were six
major categories of communications under NASD Rule 2210. Since then,
FINRA has replaced NASD Rules 2210 and 2211 and NYSE Rule 472
with FINRA Rule 2210, which governs communications with the public.
The new rule reduces the number of communications categories from six
to three, two of which pertain to social media:
Correspondence
Correspondence includes any written (including electronic) communication
that is distributed or made available to 25 or fewer retail investors within
any 30 calendar-day period.
Retail communication
Retail communication includes any written (including electronic)
communication that is distributed or made available to more than 25 retail
investors within any 30 calendar-day period. A “retail investor” includes
any person other than an institutional investor, regardless of whether
the person has an account with the firm. Communications that formerly
qualified as advertisements and sales literature generally now fall under
the definition of “retail communication.”
Categories of Electronic Communications
Static Content
Static content is generally accessible to all visitors and usually remains
posted until it is removed by the firm or individual who established the
account. Examples of static content include profile, background, or wall
information. A registered principal of the firm must approve all static
content, on a page before it is posted, or before the page is edited.
4 | Using Social Media | Privacy Controls for Facebook
5. Interactive Electronic Forum
Interactive content is considered non-static. These real-time
communications do not require approval by a registered principal prior to
use. In fact, FINRA Rule 2210, specifically exempts from pre-review any
retail communication that:
•• is posted on an online interactive electronic forum;
•• does not make any financial or investment recommendation or
otherwise promote a product or service of the firm.
However, firms still have record keeping requirements and must supervise
communications. Examples of interactive content include Facebook posts,
tweets, and LinkedIn status updates.
Regulatory Notice 10-06 Provisions
•• Publicly available websites, banner advertisements, and bulletin
boards are considered advertisements. Static (non-interactive)
content on social media sites and blogs are also deemed to be
“advertisements.”1
•• An email or instant message sent to 25 or more prospective retail
customers is considered “sales literature.”1
•• An email or instant message is considered “correspondence” if it is
sent to (1) a single customer (prospective or existing); and (2) less
than 25 prospective retail customers within a 30-day period.
•• Password-protected websites are considered “sales literature.”1
•• Real-time interactive or non-static electronic forums, including
extemporaneous chat room, social networking, and blog comments are
considered “public appearances.”1
1 Now defined as “Retail Communications,” per FINRA Rule 2210. This rule replaces NASD
Rule 2210 and 2211 and NYSE Rule 472.
Using Social Media | 5
6. Regulatory Notice 11-39
In this notice, FINRA provides further guidance for firms on applying
rules governing communications with the public when using social
media. In short, firms are reminded that existing rules for recordkeeping,
suitability, supervision and content requirements all apply to social media.
Additionally, FINRA clarified the following points:
•• The content of the communication is determinative, not the
communication channel.
•• A firm is subject to the “adoption” and “entanglement” theories
regarding third-party posts.
•• Business communications over personal devices must be retained,
retrievable, and supervised.
Regulatory Notice 11-39 Provisions
Recordkeeping
Under Securities Exchange Act (SEA) Rule 17a-4, firms must retain
retrievable records of business-related communications made through
social media, regardless of the type of device or technology, or whether
they were made by firm-issued or personal devices. In order to retain all
business-related communications, firms may not use communications
devices that automatically delete information. FINRA also states that firms
must develop policies and train associated persons on the differences
between business and non-business communications. As further
clarification to 10-06, both static and interactive content are subject to
recordkeeping rules.
6 | Using Social Media | Privacy Controls for Facebook
7. Supervision
Under NASD Rule 3010, firms must supervise registered persons. To this
end, a registered principal must review a social media site in the form
that it will be launched. Reiterating 10-06, unscripted participation in an
electronic form is considered a “public appearance”1 and, therefore, does
not require prior approval by a registered principal of the firm. However, it
must be supervised to ensure that communications do not violate FINRA
or SEC rules, including the content requirements of FINRA Rule 22101.
However, should interactive content become static, it is considered an
“advertisement”1 and, as such, requires pre-approval by a registered
principal of the firm.
Third Party Posts, Links, and Sites
An associated person may respond to communications on a social media
site as long as the response does not violate a firm’s policies. Firms may
not establish third-party links to any site that is known to have false or
misleading content. A firm is responsible under NASD Rule 22101 for the
content on a third-party site if the firm has either become “entangled” in
the development of the content or “adopted” the content through implicit
or explicit endorsement.
Data Feeds
Firms are responsible for third-party data feeds and must review them for
accuracy and correct any erroneous data.
Using Social Media | 7
8. Key Social Media Sites
Facebook
Facebook is the largest social network in the world with over one
billion members. It enables members to create profiles, upload
photos, join groups, and set up “fan” pages to better interact with
customers, prospects, and fans. It aims to make the world “more open
and connected.”
LinkedIn
LinkedIn is a social networking site focused on business professionals.
It numbers over 200 million members with representation in over 200
countries. Members use the site to exchange information, ideas, and
opportunities. They build up a network of “connections” by joining groups
and inviting others to join their network.
Twitter
Twitter is a social media site that offers a microblogging service (140
characters or less). It’s been nicknamed the “SMS of the Internet” and is
essentially a real-time information network that connects you to the latest
information on topics of interest to you. You can choose to “follow” or be
followed by others. Additionally, your messages can be private, and you
retain control over who follows you.
8 | Using Social Media | Privacy Controls for Facebook
9. Mapping Features to 10-06 and 11-39
Facebook
FINRA FINRA Relevant
Feature Definition Category Recommendation Controls
Archive, Post-
Retail
Basic information Static Pre-review review, Block/
Communication
allow
Archive, Post-
Retail
Profile picture Static Pre-review review, Block/
Communication
allow
Update status Archive,
Retail
(Wall & News Interactive Supervise Post-review,
Communication
Feed) Pre-review*
Upload photo
Retail Archive, Post-
(Wall & News Interactive Supervise
Communication review
Feed)
Attach link (Wall Retail Archive, Post-
Interactive Supervise
& News Feed) Communication review
Upload video Archive, Post-
Retail
(Wall & News Static Pre-review review, Block/
Communication
Feed) Allow
Archive,
Retail
Write a comment Interactive Supervise Post-review,
Communication
Pre-review*
Archive, Post-
Chat Correspondence Interactive Supervise
review
Compose Archive, Post-
Correspondence Interactive Supervise
message review
Post new topic to Retail Archive, Post-
Interactive Supervise
group Communication review
Using Social Media | 9
10. Facebook
FINRA FINRA Relevant
Feature Definition Category Recommendation Controls
Retail Archive, Post-
Create group Communication Interactive Supervise review
Retail Archive, Post-
Chat with group Interactive Supervise
Communication review
Post reply to Retail Archive, Post-
Interactive Supervise
group topic Communication review
Retail Archive, Post-
Join a group Interactive Supervise
Communication review
Like (may be Archive, Post-
Retail Static or
considered an Block or Supervise review, Block/
Communication Interactive
endorsement) allow
10 | Using Social Media | Privacy Controls for Facebook
11. Mapping Features to 10-06 and 11-39
LinkedIn
FINRA FINRA Relevant
Feature Definition Category Recommendation Controls
Archive, Post-
Retail
Basic information Static Pre-review review, Block/
Communication
allow
Archive, Post-
Retail
Profile picture Static Pre-review review, Block/
Communication
allow
Profile update Archive, Post-
Retail
(Video, Shared Static Pre-review review, Block/
Communication
documents, etc.) Allow
Archive,
Share status Retail
Interactive Supervise Post-review,
update Communication
Pre-review*
Comment to Retail Archive, Post-
Interactive Supervise
status update Communication review
Compose Archive, Post-
Correspondence Interactive Supervise
message review
Archive, Post-
Retail
Recommendations Static Block review, Block/
Communication
allow
Retail
Join group Interactive Supervise N/A
Communication
Retail
Create a group Interactive Supervise N/A
Communication
Retail Archive, Post-
Start a discussion Interactive Supervise
Communication review
Like a group Archive, Post-
Retail Static or
discussion Block or Supervise review, Block/
Communication Interactive
comment allow
Post a comment
Retail Archive, Post-
to group Interactive Supervise
Communication review
discussion
Using Social Media | 11
12. Mapping Features to 10-06 and 11-39
Twitter
FINRA FINRA Relevant
Feature Definition Category Recommendation Controls
Retail Archive, Post-
Basic information Static Pre-review
Communication review
Retail Archive, Post-
Profile picture Static Pre-review
Communication review
Archive,
Retail
Tweet Interactive Supervise Post-review,
Communication
Pre-review*
Retweet (may be Archive, Post-
Retail Static or
considered an Block or Supervise review, Block/
Communication Interactive
endorsement) allow
Retail Archive, Post-
Reply Interactive Supervise
Communication review
Archive, Post-
Retail Static or
Favorite Block or Supervise review, Block/
Communication Interactive
allow
Follow N/A Interactive Supervise N/A
Send a direct Archive, Post-
Correspondence Interactive Supervise
message review
Archive, Post-
Retail Static or
Create a list Block or Supervise review, Block/
Communication Interactive
allow
12 | Using Social Media | Privacy Controls for Facebook
13. FINRA Examiners’ Checklist
Policies
FINRA examiners typically are interested in the types of written supervisory
procedures financial services firms have adopted to address social media.
Of particular interest to regulators are the following policies:
•• General use of social media within the firm
•• Any communications posted to social media sites
•• Any prospective communications posted to social media sites
•• Any ongoing monitoring or review processes related to communications
posted to social media sites
•• Third-party communications posted to a social media site
•• Approval processes for prospective communications posted by
third parties
•• Any ongoing monitoring or review processes for communications
posted by third parties
•• Use of social media for non-business purposes
•• Training and education of personnel on social media usage, whether
for personal or business purposes
•• Disciplinary action for social media use
•• Record retention of social media, whether for personal or business
purposes
•• Process for handling customer complaints
Procedures
Regulators are also interested in learning about the procedures firms
have in place to ensure that the latter remain in compliance with FINRA
guidelines. Generally speaking, procedures usually mirror the policies
themselves, i.e., firms will develop procedures to be consistent with the
policies they’ve established (see preceding section). Thus, regulators
are interested in viewing documentation pertaining to procedures for
the following:
Using Social Media | 13
14. •• General use of social media within the firm
•• Any communications posted to social media sites
•• Any prospective communications posted to social media sites
•• Any ongoing monitoring or review processes related to communications
posted to social media sites
•• Third-party communications posted to a social media site
•• Approval processes for prospective communications posted by
third parties
•• Any ongoing monitoring or review processes for communications
posted by third parties
•• Use of social media for non-business purposes
•• Training and education of personnel on social media usage, whether
for personal or business purposes
•• Disciplinary action for social media use
•• Record retention of social media, whether for personal or business
purposes
•• Process for handling customer complaints
Recordkeeping
Regulators constantly remind members that they must adhere to
recordkeeping rules, if they choose to communicate through social
networking sites.
“Each member shall make and preserve books, accounts, records,
memoranda, and correspondence in conformity with all applicable laws,
rules, regulations and statements of policy promulgated thereunder and
with the Rules of this Association and as prescribed by SEA Rule 17a-3.
The record keeping format, medium, and retention period shall comply
with Rule 17a-4 under the Securities Exchange Act of 1934.”
14 | Using Social Media | Privacy Controls for Facebook
15. Compliance considerations
•• Social networking sites, such as Facebook, offer no native archiving
functionality, making it difficult to comply with Regulatory
Notice 07-59 that spells out the requirements for review “by a
supervisor of employees’ incoming, outgoing and internal electronic
communications.”
•• Native archiving functionality offered by unified communications
and other real-time communications tools is rarely able to provide
a granular breakdown of conversations by persons (including
buddynames), key phrases, and timeframes, which are essential for
compliance and eDiscovery requirements.
•• This is further complicated by the various modalities used in
conversations – from IM to BlackBerry.
Compliance recommendations
Enterprises should deploy a central archiving system that enables
easy review of posted messages and detailed analysis of electronic
conversations, including file downloads both internally and externally,
complete with an audit trail of the auditor reviewing the information. In
addition, the information should include who joined a conversation, when
they joined, when they left, any disclaimers shown (e.g., at the beginning
of an IM conversation), call detail records, etc.
Using Social Media | 15