Would Your Social Media Activities Pass Regulatory Scrutiny?
Registered Investment Advisers (“RIAs”) know there are lots of benefits in using social media to grow their business. How else can you reach existing clients or get qualified leads for little to no money? But as with all things that are too good to be true, there are real risks in using social media. Despite its effectiveness in promoting an adviser’s business, practices, and expertise, social media can be a risky proposition for RIAs due to the number of potential compliance pitfalls. To manage these risks, we recommend that RIAs establish and maintain a Social Media Compliance Program. The attached checklist sets out an overview of key considerations based on recent SEC sweep exams concerning the use of Social Media. (Access Tool: Click here to access a useful checklist to help you when instituting or assessing your Social Media Compliance controls)
Consider if you’re an RIA that allows multiple individuals who can access multiple social media sites but have little to no controls in place, such as:
- Unable to enforce review and approval requirements before posting;
- Has poor or non-existent auditing abilities; and
- Lacks archival capabilities.
What are some likely results? Exposure to compliance, regulatory, legal and reputational risks, such as:
- Social media account gets hacked, and you have no response plan;
- Unreviewed posts containing false, misleading or mistaken information; or
- An employee posts disparaging or confidential information.
And that’s not the end of it. Advisers also know that these activities are scrutinized by an array of state and federal regulators to protect investors. Complicating matters social media use is so prevalent now that the notion of trying to ban it outright is hardly an option if not unrealistic.
Ok, don’t despair since you can still use social media as part of your marketing strategy, but you should do so only if you have instituted effective compliance controls. Fortunately, you don’t have to start with a blank slate. Regulators and industry gurus have published lots of guidance and best practices, including a useful risk alert from the SEC on social media controls. Most of the guidance focuses on having a clear policy, training, and monitoring to make sure social media activities remain compliant.
Below is an outline of possible components of your Social Media Compliance Program. Regardless of your approach, make sure that when designing your program not to forget to factor in the size of your firm, your business, applicable regulations, and expected scope and objectives of your social media activities.
Social Media Compliance Program Components
- Policy – Create a social media policy that will guide your employees’ activities by:
- Accounting for laws and regulations applicable to your social media activities;
- Setting minimum use standards:
- Maintain professional standards in all communications;
- Protect confidential, sensitive customer and proprietary information;
- Protect intellectual property; and
- Prohibit libel/slander and defamation issues, as well as harassment and other employment-related infractions;
- Stating which types of content are permissible and those that are not, as well as those that require pre-approval (for example, any social media activities that may trigger advertising rules; check out our article on Advertising Do’s and Don’ts);
- Indicating who can use social media on your behalf and if there is an approval process before using social media;
- Advising which social media channels are permissible and which ones are not; and
- Noting general consequences for non-compliance.
- Training and Education – communicate your social media policy to your employees (including issuing reminders), and train them periodically to make sure they know and remain current on your policy.
- Monitoring – monitor compliance with your social media policy such as:
- Adopting technology that can facilitate any pre-approval requirements;
- Using social media monitoring tools and techniques to look for violations (for example, keyword surveillance that searches social media content by keywords, date, and other variables);
- Reviewing sample reporting to gauge overall activities as well as to help identify potential non-compliant activities; and
- Including controls designed against cybersecurity threats introduced through social media channels.
- Record Retention – maintain records of your social media activities by:
- Archiving required records for the required period and e-discovery purposes; and
- Collecting and storing information on your social media users in a convenient place to facilitate reviews and monitoring, and updating the information as employees leave your firm.
- Third-Parties – if you use third-party service providers to engage in social media activities—for example, using a social media site owned and maintained by one – consider:
- Before entering into the arrangement:
- Assessing and documenting the risk presented by the third-party;
- Performing due diligence to confirm, among other things, its financial stability, reputation, policies, and procedures for handling confidential and sensitive information, and mechanisms for protecting the confidentiality of customer information;
- Documenting terms and conditions (who controls the data, can change it, have access to records, etc.), which should be reviewed by your legal counsel; and
- Monitoring activities during the engagement.
- Before entering into the arrangement:
- Maintenance – a periodic evaluation to measure the effectiveness of your social media controls:
- Determining if your objectives are met; and
- Remaining up-to-date with compliance rules and factoring these into your controls.
Setting up compliance requirements for social media may seem daunting, but they’re not impossible. Remember these simple rules:
- Guide – make sure to define and publish your social media policy to guide your employees on how to use social media properly (including do’s and don’ts);
- Protect – educate your employees and others authorized to use social media on your behalf and monitor their activities to protect your firm; and
- Maintain – social media is always evolving so maintain your social media controls through periodic reviews and update them for full effect.
Start your program now before you have to because of a regulatory review. Use the guidance listed here and make sure to get input from different stakeholders. If you still need help, don’t forget that the Adherence LLC group is available to help design or assess your social media controls. For more information on how they can help, contact Adherence at http://www.adherencellc.com/contact/.