An opportunity or a headache?

An opportunity or a headache?

Mushtaq Dost looks at the emerging compliance issues around

social media and, more importantly, how social media is regarded by the regulators, is an area of interest and concern for anyone who conducts business in today’s financial world. the power of social media rests in public information being shared through communities. It may appear innocent enough, but as social media has grown, the lines between our personal and professional lives have become so blurred that it is increasingly difficult to separate what represents “private” information anymore. Facebook, Myspace, twitter, and LinkedIn, are now part of the social vernacular and have become powerful tools for many employees, both on a personal and professional level, so much so that a recent article in Forbes magazine, entitled “Social Power and the Coming Corporate Revolution”, argued that the social media revolution will so empower employees and customers that eventually they will be calling the shots in firms rather than the management. this information power struggle, coupled with the broad adoption of social media in the workplace, is prompting business leaders to contemplate procedures on how best to safeguard both employee and corporate interests. For Compliance, the use of social media in marketing and other corporate communications has become the most perplexing issue, creating the need to understand the unique risk issues involved. How does this new way of connecting with the world fit into the firm’s strategic risk and growth planning? Most other industries recognize that this medium can provide business benefits by promoting the brand, products and services to both existing, and future customers. However, the highly regulated world of financial services has prevented many from jumping on board.

Despite concerns social media compliance is not nearly as complicated as it seems Regulations and responsibilities

Despite these concerns social media compliance is not nearly as complicated as it seems.

A financial firm’s main responsibility when it comes to communicating through social media is to be fair, clear and not misleading and also to take responsibility for customer data. this seems simple enough, but firms need to be very careful to avoid bad publicity caused by poor planning. A sense of proportion is highly important. negative comments by disgruntled customers or employees can potentially reach thousands – possibly millions – if they are a well known blogger or if readers are actively searching for mention of the firm. the digital footprint has suddenly become much more significant and permanent. As social media becomes more pervasive as a method of business communication, Compliance will need to become increasingly tech-savvy and understand the use of each social media platform and device and how they fit in with the firm`s regulatory obligations.

some commentators have suggested that regulations as they currently stand are out of alignment with reality, with most regulators trying to fit social media into existing promotions and communication rules. the social media landscape is continually evolving, and it remains to be seen whether current rules

the burgeoning sphere of social media, and considers how compliance professionals and firms can stay abreast of the issues in this fast-moving area

over time can cover every social media platform, technology and device. As with any new technology, social media and its practical aspects will be monitored by the regulator for a certain period of time before any meaningful guidance and/or new rules are put in to effect.

A case in point is the uK where the Financial services Authority (FsA) regulates the majority of financial communications through its Conduct of Business (COB) rules. the FsA is currently monitoring the effects of social media and compliance against these rules having sent an update notice last year. A review had found that communications through social or “new media” had lacked compliance with a number of established safeguards.

twitter. Concomitantly, upon assessing any violation of these rules, the FsA is indifferent to whether the communication was made through social media or any other written or personal contact.

In its update last year, the FsA noted that a review had found that companies were publishing twitter updates or commenting on discussion threads without the usual disclaimers and risk warnings and engaging in behaviour that acted as promotional activity that went beyond “image advertising”. Image advertising consists of the firm’s logo, contact point and reference to the types of regulated activities provided or to its fees and commissions. When a communication goes beyond this, it will need to comply with the relevant communication rule, namely COBs 4 (the rule on communicating with clients). the treatment of image advertising varies depending on the type of product (and therefore on which source book applies) but in many cases image advertising is exempt from most of the financial promotion rules. However, the fair, clear and not misleading rule always applies and any social media promotions and communications must also meet the requirements for standalone compliance. A note published in 2009 by the FsA states that “every financial promotion must comply with all relevant financial promotion rules. It is not acceptable, for example, for firms to omit important risk information just because they intend to give it later in the sales process.”

An important Compliance issue here is that, for the FsA, financial promotion rules are “media neutral” which means that that they remain the same regardless of whether an advertisement is published in print, a blog or sent through

Technical controls

For Compliance, finding which particular social media channel is appropriate for what type of communication is an important

In the coming year, social media compliance will be one of the major issues and a primary area of review for compliance officers

concern. If the communication is balanced, then the audience should be able to read the item and understand exactly the nature of the product or service, their commitment and associated risks. While Compliance guidance can focus on this outcome, manual procedures and other processes currently used to approve content and mitigate risk, must also be scalable.

How can you ensure, for example, that someone in your firm is not accessing a social media site and inadvertently placing information that could be deemed a financial promotion? some firms are implementing technical controls, such as web filtering, that restrict social media sites. Although this may help protect the firm while employees are connected to its network, most technical controls do not address smart phone and other mobile devices, such as laptops, when they leave the firm’s premises.

Having the ability to record activity and content and to monitor employee activity on social media sites is crucial. records related to firm communications are required to be maintained for at least five years. Many firms are turning to outside help from vendors that can provide electronic retention of social media communications. However, firms need to use caution here as the technology to capture and retain messages sent or received via social media sites is still evolving.

Policies and procedures

A firm needs to have a clear understanding of its social media compliance obligations. there must be policies and procedures in place that address behaviours that may fall outside “normal” compliance rules. Compliance needs to be involved at the very beginning when talk of social media begins to emerge. Incorporating a social media risk assessments into the firms overall risk framework will go a long way in prevent compliance related problems. the ABA Banking Journal made the following recommendations:

• Engage a multidisciplinary team – social media affects the whole firm and a range of functions. Any risk mitigation strategy should include representatives from Hr, It, Legal, Marketing, risk Management, Public relations and Compliance. the risk committee should retain ownership and track progress.

• Document current and intended social media use – the team should document how each function uses social media and how it intends to use it in the future.

• Perform a risk assessment – the team must identify and quantify the various risks associated with social media use and put in place safeguards and controls taking into consideration the likelihood and potential damage of a disgruntled customer or employee to the firm’s reputation, its products and brand.

• Expand current policies to include social media – Once risks have been identified, the firm will need to decide whether any changes to its existing policy need to be made to address these risks. social media guidance can be included is a stand-alone policy or incorporated into existing policies. regardless, the policy needs to be easily accessible to employees and include reference to: appropriate use of social media; Hr policies; It security; marketing and communications policies; and vendor management policies.

• Implement safeguards – A firm will need to consider bespoke It security safeguards and evaluate a new set of

technical risks and mitigate them with appropriate It policies and controls.

• Provide social media training – employees need to understand the firm’s social media policy. training should include examples of appropriate and inappropriate communications and actions, distinguish between positive and negative use, and highlight the threats posed by each different platform. As with other compliance training, training should be a frequent occurrence.

• Monitor social media platforms – Firms also need to monitor the different platforms that have been approved for use. some It solutions by third party vendors can help monitor public channels for social media chatter that could affect the firm. In the coming year, social media compliance will be one of the major issues and a primary area of review for compliance officers. A robust risk management framework coupled with a proper understanding of how to use social media networks may prove to be a tremendous opportunity for many firms. Instead of trying to ban or block social media, firms should embrace the world of social media. However, they must also know the risks and prepare for them.

Mushtaq Dost is the Principal / Managing Director of Trafford Consulting SL. He can be contacted at: + 34 93 268 82 82 or dost@traffordconsulting.com

1 http://www.informationweek.com/thebrainyard/news/social_ networking_consumer/229402623

2 the full rules can be seen at http://fsahandbook.info/FsA/ html/handbook/COBs/4

3 http://www.fsa.gov.uk/pages/Doing/regulated/Promo/pdf/ new_media.pdf

A financial firm’s main responsibility when it comes to communicating through social media is to be fair, clear and not misleading and also to take responsibility for customer data