It’s not just your kid, and it’s not only the millennial down the street. According to Hootsuite, “There are over 3 billion internet users – and over 2 billion of them have active social media accounts. Popular social platforms have become marketing giants, offering businesses valuable data about their customers and a (mostly) free way to reach them.”
Due to the undeniable proliferation of cloud-based social media platforms as primary communication vehicles to customers, strategic partners, employees, and the public at large, social media content has become fair game for eDiscovery and regulatory compliance.
Financial Services Organizations Getting Social: FINRA, SEC and CFTC Follow with Strict Guidelines
The financial services industry has followed suit, increasingly utilizing cloud-based social media for internal and external communications. Consequently, FINRA, the SEC and the CFTC, which have all penned rules for how financial organizations can communicate with clients, have now updated those rules to outline social media use guidelines. These guidelines extend to the retention, accessibility, and protection of these communications, just like more traditional communication vehicles such as email. For instance, FINRA issued regulatory notice 10-06 stating that, “Every firm that intends to communicate, or permits its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications.” FINRA followed shortly afterwards with added clarification issuing notice 11-39, “Social Media and the Use of Personal devices for Business Communications.”
SEC Rule 17a-4(b) requires broker-dealers to preserve targeted records for a period of not less than three years, the first two in an easily accessible place. Among these records, are “originals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business as such.” Also, FINRA, the SEC and CFTC have all stated that “electronic communications” are not limited to email but now include social media content as well.
The reasoning behind these communication retention requirements are so the regulatory agencies can conduct effective examinations of broker-dealers’ business practices. These records retention requirements are also discoverable under specific rules as part of the arbitration procedure when broker-dealer clients believe they have been wronged.
Social Media Platforms Continue to Proliferate
The cloud has enabled us to share and connect socially anytime, from anywhere. In fact, it seems like every time I blink, a new cloud-based social media platform has been introduced. They run the gamut and include social networking (Facebook), micro blogging (Twitter), rating/review (Yelp), collaboration (Wikipedia), dating (Tinder), photo sharing (Instagram and Pinterest), video sharing (YouTube and Vimeo), business networking and communications (LinkedIn), and the list goes on. Sharing socially has clearly become the norm.
Unfortunately for financial services companies, public social platforms can be very difficult to monitor and control. And, since many business professionals have just one Twitter, LinkedIn or other like account, an added level of complexity is added when trying to determine if a statement was made wearing their “professional” or “personal” hat. Some are asking, is there really any difference? Does a statement saying something along the lines of “these comments are mine, not those of my employer” sufficient in a legal or regulatory setting, especially if they are on the company’s social media account? And since most business professionals access these platforms from both in and outside of a traditional office setting, companies are limited in their ability to manage and control the content and communications that are being shared. For the most part, the companies and regulatory agencies can only monitor what is being shared, and then after the fact bring disciplinary action against the individual and/or employer, i.e., fines, licenses forfeiture, loss of employment, etc.
Technology Is Still the Light at the End of the Tunnel
Not surprisingly, technology offers the light at the end of the tunnel. Smart vendors that stay close to their financial services customers understand this pain and are developing technology solutions to overcome these challenges. For instance, there are emerging technologies that can automate the monitoring and capture of employee social media activity and alert the company to prohibited actions, such as releasing confidential information, trafficking in insider information, or promising clients specific return rates, whether they are doing it from within the office environment or externally via the cloud.
In response to increasing regulation around records keeping and management, innovative vendors are introducing solutions that not only find and alert on business-related social communications, whether they are sanctioned or prohibited, but also offer auto-intelligence around capture, storage, retention and deletion either directly or via strategic partners.
Once found and captured, the financial services industry is required to store this data on immutable storage. On-premises WORM storage was at one time the only game in town and priced accordingly, but these vendors have been consistently losing market share to cloud vendors offering similar capabilities. And while cheaper to get in and stay there – buyer beware – the cost to leave can be exorbitant, and some cloud vendors even impose bandwidth limitations meaning it could take months to get your data out.
Of course, that’s not everyone. There are well-known and highly respected cloud solutions like Microsoft’s Office 365 and Azure which, together with their strategic partners, offer cloud storage and information management solutions that ensure financial services regulatory compliance, and don’t lock you in.
Your best strategy here? Explore your options. Then, when you have narrowed the list, work to explicitly understand how the vendor delivers these capabilities and get it in writing. Third-party expert validation is also critical here. Then test it for yourself. Your boss will thank you, your company will thank you, your résumé will thank you.
About the Author
Bill Tolson has more than 25 years of experience with multinational corporations and technology start-ups, including 15-plus years in the archiving, ECM, information governance, regulations compliance and legal eDiscovery markets. Prior to joining Archive360, Bill held leadership positions at Actiance, Recommind, Hewlett Packard, Iron Mountain, Mimosa Systems, and StorageTek. Bill is a much sought and frequent speaker at legal, regulatory compliance and information governance industry events and has authored numerous articles and blogs. Bill is the author of two eBooks: “The Know IT All’s Guide to eDiscovery” and “The Bartenders Guide to eDiscovery.” He is also the author of the book “Cloud Archiving for Dummies” and co-author of the book “Email Archiving for Dummies.” Bill holds a Bachelor of Science degree in Business Management from California State University Dominguez Hills.