FINRA has published Regulatory Notice 11-39 providing guidance on business communications on social media websites and on personal devices, particularly with respect to recordkeeping and supervision. FINRA stated that the notice provides further clarification of the guidance provided in Regulatory Notice 10-06 (“Social Media Websites”) but is not intended to alter the principles stated in the earlier notice. This article summarizes the guidance provided in Regulatory Notice 11-39, which is presented in a question-and-answer format (questions 1-14 and their responses are referred to as Q1-Q14).
Most of the guidance in Regulatory Notice 11-39 is organized around three key distinctions: business vs. non-business communications; firm vs. third-party material; and static vs. interactive communications. For any given communication, these distinctions have important consequences for a member firm’s liability for the communication’s content, the need for supervisory approval of the communication and recordkeeping responsibility with respect to the communication.
Business vs. Non-Business. SEC Rule 17a-4(b)(4) under the Securities Exchange Act of 1934 requires a firm to retain records of communications that relate to its “business as such.” The analysis of whether a communication is business-related does not depend on whether it is made on a personal device of a registered person or a firm-issued device; rather, it depends on the content of the communication. A communication by a registered person relating to the firm’s business would be subject to the record-keeping requirement even if sent through a third party’s platform or system. Firms must have policies and procedures to (i) train associated persons regarding the difference between business and non-business communications and (ii) ensure that any business communication made by an associated person is retained, retrievable and supervised (Q1).
Firms may permit associated persons to use personal communications devices, whether owned by the individual or the firm, for business communications, provided that the device includes programming to capture business communications. If the device is also used for personal (non-business) communications, and the user is able to separate personal and business communications on the device, the firm is not required to supervise personal communications. However, the firm may, if it considers it prudent, treat all communications on the device as business communications, subject to its review (Q14).
Autobiographical information that associated persons post about themselves may be business or non-business, depending on the context in which it is presented. A resume sent to a prospective employer is not relevant to the business of the individual’s current firm. Autobiographical information presented with information about the products and services of the member firm would be viewed as a business communication (Q2).
Firm vs. Third-Party Material. Third-party material posted by a firm or its associated persons is generally not treated as the firm’s material for purposes of NASD Rule 2210 (Communications with the Public) unless the firm or its associated persons have adopted or become entangled with the posted material. The recordkeeping requirements, however, require retention of the material if it relates to the business of the firm (Q4).
The concepts of adoption and entanglement were developed by the SEC in its interpretive releases on Use of Electronic Media (Rel. No. 33-7856, April 28, 2000) and Use of Company Web Sites (Rel. No. 34-58288, Aug. 1, 2008) in the context of securities registration, and adapted by FINRA for member firm communications in Regulatory Notice 10-06. A firm is considered to be entangled in third-party material if it was involved in the preparation of the content. A firm is considered to have adopted third-party material if it explicitly or implicitly endorses or approves the content. A firm that co-brands any part of a third-party site, such as by placing the firm’s logo prominently on the site, is considered to have adopted the entire site, and is responsible for its contents (Q10). A firm is not responsible for the content on a third-party site to which it links if the firm does not adopt or become entangled with the content of the third-party site and the firm does not know or have reason to know that the site contains false or misleading information (Q11). Deleting some inappropriate third-party content (for example, screening for offensive material) does not in itself cause material that is not deleted to be deemed adopted (Q12).
Firms should have policies to cover what associated persons must do in the event that a third party posts a business-related communication on an associated person’s personal social media site. For example, if the firm does not permit business communications on personal devices or social media sites, and a customer or prospective customer posts a question about securities on the associated person’s Facebook page, the associated person could be instructed to advise the person to address his or her question to a firm-approved communications medium. If the firm permits associated persons to engage in business‑related communications on personal devices or in social media sites, the policy must provide for supervision of the communications (Q9).
Static vs. Interactive Communications. FINRA considers unscripted participation in an interactive electronic forum to come within the definition of a “public appearance” under NASD Rule 2210, which does not require prior approval by a registered principal. Firms must adopt procedures for post-use review reasonably designed to ensure that interactive electronic communications do not violate SEC or FINRA rules, including the content standards of Rule 2210. A static posting, on the other hand, is deemed an “advertisement” under Rule 2210, requiring pre-use approval by a registered principal. Interactive content on a social media site may become static if it is copied or forwarded and posted in a static medium. If the static posting was created or adopted by the firm, it will be subject to pre‑use approval, i.e., approval prior to being converted to static form (Q6).
Recordkeeping requirements do not differ for static and interactive communications. If they are business related, they must be retained (Q5). A firm or associated person may not sponsor a social media site or use a communication device that includes technology that automatically erases or deletes the content, as that would preclude the ability of the firm to retain the communications in compliance with its obligations under SEC Rule 17a-4 (Q3).
Material changes to static content posted by a firm or its associated persons are subject to separate pre-use approval before the material changes take place (Q8). Rule 2210 permits special treatment of material changes to statistical information provided on the firm’s website. Statistical information that is presented in a static format is considered an “advertisement” under the rule and thus subject to approval and recordkeeping requirements. However, a firm may establish templates for the presentation of the data, and subject the templates to the approval process. The data used to populate the template fields would not be subject to approval each time it changes. Firms using templates for statistical information must have procedures reasonably designed to ensure that the data can be verified as timely and accurate and that the firm can promptly correct data that is erroneous when posted or after the passage of time.
Ongoing Monitoring of Compliance. FINRA expects firms to conduct appropriate training and education concerning its policies relating to the use of social media. Firms are required to look for and follow up on “red flags” that may indicate an associated person is not complying with the firm’s social media and communications policies (Q7). Steps firms can take to ensure better compliance include (1) requiring each associated person to certify on an annual or more frequent basis that he or she is acting in a manner consistent with the applicable social media policies and (2) when feasible, conducting random spot checks of the websites and other social media sites of associated persons to monitor compliance with firm policies.