August 28, 2013

AdvisorAssist CCO Series: Social Media Compliance

Advisors are jumping into social media to communicate with clients, generate new business and even service clients. However, many chief compliance officers ("CCOs") are confused on how to proceed.

Social media is an incredibly powerful medium to efficiently build brand awareness, demonstrate knowledge and expertise among your audience, communicate with prospective clients, deepen relationships with and serve your existing clients. It can become a powerful tool in your content marketing arsenal if your firm commits to a long term, strategic approach to social media engagement.

This blog post focuses on how CCOs can properly implement social media activity within their RIA firm. For guidance on specific social sites, see our presentation, "Confident and Compliant Social Media for Advisors".

RIA Social Media Compliance In a Nutshell

Usage Guidelines
CCOs should establish usage guidelines that are communicated through a formal social media policy. This policy will define who within your firm can use social media, which sites are allowed and what your expectations are with respect to their use. Be sure to include IARs, solicitors and any third-parties that are subject to your policies and procedures.

When determining which social media sites may be used, some factors to consider include:
  • The functionality of each site (and monitor upgrades and modifications to each site) and which of these functions may be modified by the user,
  • the reputation of the site,
  • the privacy policy of the site,
  • your ability to remove third-party posts, and
  • your ability to control or remove posts made by others.

Content Standards
CCOs are responsible for providing guidance on appropriate and inappropriate social media usage. One way of doing so is to establish written content standards that consider the risks that certain activities invite to your firm. These standards should specifically address the use of performance results, security recommendations or specific references to the services you provide to advisory clients.

Note: Because of the accompanying risks, most RIAs do not allow content related to security recommendations or references to specific services.

Pre-approval is not a requirement. If you elect to not pre-approve social media activity, you should be prepared to articulate your rationale for why you believe "after-the-fact" social media activity review is sufficient for your circumstances.

Third-party Content
Most CCOs allow third-parties to post content on their firm's social sites. Third-party content may include: articles, forward links or other messages.

To be somewhat more conservative, some firms limit third-party interactions to "one way postings", where IARs post on the firm's social media sites but do not interact with or respond to third-parties. Even more conservative firms will limit third-party postings to authorized users only and/or prohibit posts by the general public.

Which approach to take comes down to a business decision on your part. If your firm does allow third-party content, just be sure that you have procedures in place to monitor these posts for inappropriate content (e.g. testimonials).

Like all other advertising activities, CCOs are responsible for effectively monitoring communications that are available to the general public. To demonstrate this ability to monitor, we strongly encourage RIAs to use a social media archiving solution that allows the CCO to not only abide by books and records requirements (see below) but also monitor activity. These monitoring procedures should be laid out in your social media policy.

If your firm is a hybrid RIA (advisory persons are also associated with a broker-dealer) you will also have to follow the technology and process requirements set forth by the broker-dealer. Pure RIAs are left with the decision to implement monitoring and archiving software or have a process to enable the firm to effectively meet the advertising, supervision and records requirements. A smaller advisor with only intermittent postings may opt for a well-defined workflow process to review and archive social media content. A firm with more frequent activity or several posters, will likely find that the opportunity cost of their time is higher than the cost of social media surveillance and archiving tools.

CCOs are obligated to maintain records of any social media activity that may be deemed a "required record” for five years following the last year it was used. Rather than making this determination on a case by case basis, most RIAs have adopted an overarching policy of archiving all social media communications.

IARs may not alter any settings within social media sites that interfere with or preclude your firm from archiving communications. In cooperation with these policies, IARs may not destroy or alter any communications after they have been posted on a social media site (i.e. an attempt to alter archives)

Through the Regulator's Eyes

The most important thing to remember is that ALL social media is within the scope of "advertising" and subject to all aspects of the "advertising rule" that defines your responsibilities as an RIA. (Yes, this includes LinkedIn profiles.)

Social media is a very high priority for both SEC and state regulators today. While they are continuously trying to keep up with the added complexities that accompany these new tools (See: SEC National Examination Risk Alert, "Investment Adviser Use of Social Media"), it is probably fair to say that social media regulatory oversight is here to stay and will continue to evolve.

To get a sense of one state regulator's findings during a social media sweep in 2012, see this deficiency letter that was sent to a state-regulated RIA in 2012.

CCO Best Practices for Social Media Compliance

  • Develop and deliver a social media policy for your firm and use an attestation form to collect information about each IAR's intended social media outlets, credentials and certification that they understand your firm's social media policies.
  • Develop procedures to restrict social media usage by those that have failed to comply with policies and procedures.
  • If you allow third-parties to post on your social media sites, add a disclosure that states your firm does not endorse third-party content. This will guard against anyone attributing any of this content to your RIA firm.
  • Similar to your Email handling, incorporate social media components to your Books & Records capabilities to archive and retrieve historical content upon request.
  • Adopt a risk-based approach to determining the appropriate frequency of monitoring.
  • Document your social media monitoring activities.

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program.  Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.

Brian Lauzon


Post a Comment