- OCIE’s Social Media Alert: Proceed With Caution, Maintain Required Records, and Adopt and Implement Robust Policies and Procedures
- January 13, 2012 | Authors: David C. Boch; W. Hardy Callcott; Jeffrey O. Himstreet; Paul M. Tyrrell; Michael R. Weissmann
- Law Firms: Bingham McCutchen LLP - Boston Office ; Bingham McCutchen LLP - San Francisco Office ; Bingham McCutchen LLP - New York Office ; Bingham McCutchen LLP - Boston Office
On Jan. 4, 2012, the staff of the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission issued a National Examination Risk Alert concerning investment advisers’ use of social media.1 As with the previous adoption of email, Internet websites and instant messaging decades ago, OCIE staff is taking a content-driven approach to applying the Investment Advisers Act of 1940 to communications through social media such as Facebook, LinkedIn and Twitter. With each new technology the industry embraces, the resulting compliance challenges highlight the fact that applicable Advisers Act rules remain largely unchanged since their initial adoption as many as 50 years ago.
The OCIE guidance, however, is in conflict with recent guidance on social media issued by the Financial Industry Regulatory Authority (FINRA) to broker-dealers. Conflicting regulatory guidance on how to treat social media could have broad implications for firms that implement social media policies on an enterprise-wide basis, especially “dual registrant” firms that provide both brokerage and investment advisory services.
Our experience is that advisers take varied approaches with the use of social media. Some firms prohibit investment adviser representatives (IARs) and others from using social media altogether, while others may permit basic “business card” information on a site such as LinkedIn but prohibit personnel from sending communications or commentary, or from responding to third-party posts. OCIE staff noted that a majority of the advisers it observed prohibited the posting of recommendations or information on specific products or services on their social media sites.2 Still other firms allow personnel to post from a pre-approved “library” of content while others permit a widespread use of social media sites in the same manner as they do email communications and supervise those communications accordingly. The purpose of this alert is to discuss the Risk Alert and offer practical guidance for firms in developing or enhancing their social media policies.
A. The Recordkeeping Rule: Advisers Act Rule 204-2
Registered advisers are required to maintain and preserve business-related records. Accordingly, the threshold question for any adviser considering social media is a determination of how to comply with the recordkeeping requirements. Advisers that communicate through social media must retain records of those communications if they contain information that would be covered under Advisers Act Rule 204-2(a)(7) (communications relating to investment advice, the movement of cash or securities, or order placement or execution) or otherwise covered under Rule 204-2 (such as an advertisement). Communications made through social media or elsewhere must be maintained and preserved for five full fiscal years, the first two in an appropriate office of the adviser.
Of course, investment advisers do not have the broad “business as such” record retention requirement that applies to broker-dealers. However, because it is often impractical to distinguish between communications subject to the Advisers Act retention requirements and those that are not, the practical effect is that investment advisers may need to retain all social media communications. Unlike broker-dealers, investment advisers do not need to use “WORM” storage for records they retain electronically.
Third-party electronic storage providers have begun to offer social media monitoring and archival as part of the suite of services they offer to financial services firms. Advisers using third-party storage (or electronic storage generally) are reminded of the indexing and format requirements of Rule 204-2(g).
B.The Compliance Rule: Advisers Act Rule 206(4)-7
The use of social media by registered advisers is subject to the Advisers Act Rule 206(4)-7 obligation to adopt and implement written policies and procedures that are reasonably designed to prevent, detect and correct securities law violations.3 The need to assess periodically the efficacy of a firm’s social media policies and procedures is particularly acute in the face of rapidly evolving technologies and firms’ increasing embrace of them.
The OCIE staff credited many firms for having adopted specific social media policies and procedures but noted several opportunities for improvement. Social media sites can be used for virtually any type of communication, making an adviser’s policies and procedures relating to client communications, advertising, and even the delivery of client materials potentially applicable to use of these sites. Many firms, noted the staff, have procedures that apply to advertisements and communications generally, but may or may not specifically include communications via social media. The staff stated that this lack of specificity may provide insufficient guidance to firm personnel in assessing the standards applicable to social media usage. In addition, firm procedures may not be sufficiently specific to identify permissible and impermissible forms of social media.
Lastly, the OCIE staff noted that many firms’ procedures do not address the use of social media by solicitors.4 Under state law, solicitors may be licensed as (IARs) of the adviser and as such may be subject to some or all of the adviser’s policies and procedures that apply to IARs.
The OCIE staff offered a “non-exhaustive” list of factors for advisers to consider when evaluating the effectiveness of its compliance program as it relates to firm, advisory personnel or solicitor use of social media. OCIE was quick to point out that the use of any or all of the factors listed by the staff does not create a safe harbor for advisers. The considerations include:
Do the procedures provide guidance to IARs and solicitors on the appropriate and inappropriate uses of social media, such as a list of approved social media networking sites, or prohibit the use of certain functionalities on a site
Does the content created by the firm or its advisory personnel pose fiduciary or regulatory risk, such as the inclusion of investment recommendations or performance?
How will the firm monitor its social media sites or firm use of third-party sites? What about use of social media sites by the adviser’s IARs or other advisory personnel? A firm may consider using sampling, spot checking, or lexicon-based or other search methodologies, or a combination of methodologies, to monitor social media use and content.
With what frequency will firms that use social media monitor the postings on a site? The staff notes that an after-the-fact review of objectionable content days after it was posted may not be a reasonable form of supervision.
Should the firm require pre-approval of social media postings? How practical is a pre-approval requirement for time-sensitive information such as market commentary? If the firm is a dual registrant should it impose the same approval requirements for its investment advisory communications as it does for communications under FINRA rules?5
Has the adviser dedicated sufficient compliance resources to monitor adequately IAR or solicitor activity on social media sites, particularly where the firm has numerous IARs or solicitors? Should the firm outsource its monitoring functions?
What social media sites are acceptable for firm use and which ones are not? Is the firm incurring any reputational or regulatory risk in permitting the use of certain sites? What about the privacy policies of the social media site? Red flags for firms would include social media sites with weak privacy or information security controls or the inability to restrict client-users’ privacy data. Does the site allow firms to remove third-party posts or limit anonymous posting? Does the site permit advertising by third-parties that the adviser may find objectionable?
Does the firm require training before allowing persons to use social media? Such training, as well as robust policies and procedures, can help shield a firm from a supervisory claim if one of its IARs or solicitors posts content on social media that violates the securities laws.
Should the firm require its IARs and solicitors to attest that they understand and are complying with the adviser’s social media policies? This certification could be incorporated into the annual compliance certifications that many firms require of their advisory personnel.
Should advisers allow IARs or solicitors to conduct firm business on personal (non-business) or third-party social media sites such as Facebook? While a firm may determine that it is appropriate to permit business card information on a specific personal site or third-party site (e.g., LinkedIn), the staff notes that it may choose to prohibit conducting firm business on that site.
What kind of information security risks would the use of a social media site by an IAR or solicitor pose? OCIE staff suggested that advisers may consider “adopting compliance policies and procedures to create appropriate firewalls” between customer information, the adviser’s own proprietary information and any social media site if its IARs are permitted access.6
Advisers that are part of larger, diversified financial services firms should consider whether the enterprise-wide corporate policies are reasonably designed to prevent violations of the Advisers Act for all advisory affiliates.7
C. Third-Party Content
The OCIE staff noted that most firms allow third parties to make postings on their social media sites, but the policies and procedures vary in what types of postings are permissible, with some firms allowing third parties to post messages, articles, and other communications, but other firms permitting only firm-driven messaging with no third-party postings, while still others will permit third-party postings but prohibit responses from the firm or its IARs or solicitors. If firms permit third-party postings then they must monitor such postings to mitigate reputational risk and respond to any client complaints or other communications that warrant follow-up from the firm. OCIE staff encouraged firms to post disclaimers stating “that they do not approve or endorse any third-party communications posted on their site in an attempt to avoid having a third-party posting attributed to the firm.”
D. The Advertising Rule: Testimonials and Advisers Act Rule 206(4) — 1
The OCIE staff has taken the position that advisers should treat social media as advertisements, in contrast with FINRA’s view that a post on a social media site is more akin to a “public appearance” and does not by itself trigger the advertising rules. In stark contrast, in applying the Advisers Act to social media, SEC staff has stated its belief that allowing a client to “like” an adviser on sites such as Facebook could constitute a testimonial for purposes of the Advisers Act “depending on the facts and circumstances” relating to the statement.8 The Risk Alert’s treatment of what may constitute a “testimonial” in violation of the Advisers Act suggests that these posts are advertisements and as such, the investment adviser may be held responsible for the posts. This approach has already prompted much criticism. (The term “testimonial” is not defined in Rule 206(4-1(a)(1), but the SEC staff has “consistently interpret[ed]” the term to include a statement of a client's experience with, or endorsement of, an investment adviser.9) We note that some social media sites do not allow a user to disable the “like” button; thus, an adviser using such sites may wish to monitor and remove any third-party postings or “likes” that may run afoul of the prohibition on testimonials.
A further complication is that on most social media sites, the firm cannot delete a third party’s “like” without deleting its own entire original post. Moreover, many social media sites do not allow the user to disable the “like” function. As a result, to avoid being held responsible for a “like” by a third party, firms essentially will be forced to disable or block any sort of “like” feature on their own websites and may not be able to use third-party social media sites (like Facebook) if they do not provide the capability of blocking “likes.” By curtailing the exchange between the firm and the public in this way, OCIE’s guidance may, in effect, remove the “social” aspect from social media.
By contrast, under FINRA’s guidance to broker-dealers, third-party posts are not generally attributed to them unless they either “adopt” the post, or otherwise become “entangled” in the post. In other words, a third party’s posting is not deemed to be the broker-dealer’s communication at all—much less an advertisement or testimonial. Under FINRA’s guidance, a third party’s decision to “like” a posting would, therefore, not be deemed a communication for which the broker-dealer is responsible. This fundamental difference in view is likely to create significant headaches for compliance departments. For example, if a dual registrant posts a generic comment that does not clearly relate to either brokerage products or investment advisory services, is that comment subject to the FINRA guidance, the OCIE guidance, both or neither?
The technologies surrounding social media are dynamic and quickly evolving, and advisers are quick to leverage the technologies used by their clients and prospective clients. A recent study found, for example, that 33% of LinkedIn users have a graduate degree, compared with 21% for Internet users generally, and tend to be older and more affluent than Facebook or Twitter users10: in other words, the kinds of prospective clients targeted by many advisers. The Risk Alert cautions advisers to be aware of the risks associated with using various forms of social media and remind advisers that, like any other form of electronic communication, the securities laws continue to apply.
1 OCIE, National Examination Risk Alert (Jan. 4, 2012) (avail. at http://sec.gov/about/offices/ocie/riskalert-socialmedia.pdf) (OCIE Risk Alert).
2 Id. at n. 12.
3See Rule 206(4)-7. See generally Compliance Programs of Investment Companies and Investment Advisers, 68 FR 74714, 74716 (Dec. 24, 2003).
4 See OCIE Risk Alert, at 2.
5 See id., at n. 13.
6 OCIE Risk Alert, at 5.
7 See id.
8 OCIE Risk Alert, at 6.
9 See id.
10 Laura Aronsson and Bianca Male, “The Secret To A Better Social Media Strategy: Demographics” (Feb. 18, 2010) (avail. at openforum.com).