Social Media Guidelines for Insurance Industry

1,088 views

Published on

The overall tone of regulatory guidance is fairly consistent. Firms need to adhere to all recordkeeping and supervisory requirements and have the appropriate processes and policies in place to ensure compliance. Anything short of that may generate negative regulatory scrutiny and possibly risk the reputation of the firm.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,088
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social Media Guidelines for Insurance Industry

  1. 1. Insurance and Social MediaUnderstanding the Rules
  2. 2. Insurance and Social Media: Understanding the Rules National Association of Insurance Commissioners The tide of social media has reached the shores of the insurance industry. In addition to the SEC and FINRA (for those insurance firms who sell variable Following in the footsteps of their broker-dealer brethren, insurance life and annuity products), insurance firms are also regulated by each of the companies are beginning to utilize social to build brand awareness, enhance individual state insurance regulators. However, the National Association of customer service, recruit new agents, enhance existing relationships, and Insurance Commissioners (NAIC) was created in 1871 to address the need to identify and nurture prospective clients. However, as a regulated industry, coordinate regulation of multistate insurers. As a result, in 2011, the NAIC insurance firms are taking a cautious approach when permitting agents to formed a working group to draft a white paper on “The Use of Social Media in 1 use social media. A lesson learned from regulators of the securities industry, Insurance”. Although still in draft form (as of December 2011), this document such as the Securities and Exchange Commission and the Financial Industry still reveals hints on how the NAIC will treat social media in the future. Regulatory Authority (FINRA) is that regulators consider social media as just another form of electronic communications and should be treated as such. Supervision, Monitoring, and Training Social media communications must align with existing regulations This article takes a look at four sources of regulations to understand related to advertising, marketing, record retention, privacy, and consumer the direction the insurance industry is heading with respect to social complaints. Firms must relay their internal policies to their appointed media guidelines: producers and employ a risk-based approach to train users. • A draft of a white paper issued by the National Association of Content Insurance Commissioners (NAIC) • Firms are responsible for content posted to its own sites, for posts by • Social media guidance issued by FINRA, which applies to broker-dealers appointed producers (if attributed back to the firm), and possibly for posts and registered representatives who sell variable life and annuity products of third parties. • SEC’s National Examination Alert, Investment Advisor Use of Social Media, which applies to Investment Advisors and Registered Investment Advisors • Like FINRA’s guidance, content is considered either static or interactive. Static content, i.e., content that remains posted until it is changed by • Recent guidance from a state regulator (Massachusetts) the author, must comply with state marketing and advertising regulations. Interactive content, i.e., real-time communications, requires a more “nuanced,“ or fact-based approach. Such content may not require filing or approval prior to use. As a best practice, firms should develop workflows that facilitate the pre-approval of static content and the supervision and moderation of interactive content. 2 3 Insurance and Social Media | 3
  3. 3. Financial Industry Regulatory Authority (FINRA)• According to existing “adoption” and “entanglement” theories, firms FINRA, regulator of broker-dealer firms in the securities industry, issued 2 may be responsible for third-party content, should an insurer/producer specific guidance for social media in January 2010 and then again in 3 be involved in the preparation of content or the implicit or explicit August of 2011. FINRA reiterated that there are no new rules. Instead, endorsement of the third-party content. As a best practice, to avoid being firms are challenged to interpret how to apply these existing categories of responsible for third-party content, firms often disable the use of “retweet” rules and regulations to social media: or “favorite” within social media sites. Recordkeeping• Firms should adopt policies and controls to ensure content is accurate Firms must capture, save, and make easily available all written business and timely and any product recommendations should comply with existing correspondence, including social media communications, such as updates, state laws and regulations. As a best practice, firms need to design tweets, direct messages, from both business and personal devices. The content risk-based supervisory procedures to ensure compliance with content is determinative. Timeframes vary, but in some cases, these communications standards that may include sampling and lexicon-based automated need to be archived for at least five years. As a best practice, since social searches, typically by working with a third party. media sites do not offer this capability natively, firms are challenged to find another solution, typically by working with a third-party vendor(s).Recordkeeping RequirementsFirms must maintain books and records so that examiners may readily Suitabilitydetermine compliance with rules and regulations. When an insurer is Broker-dealers must ensure that recommendations registered representativesresponsible for content, it must comply with individual state record retention (RRs) make to their clients are suitable for each investor. That means thatrequirements. As a best practice, as native social media sites do not provide the RRs must know their customers’ investment objectives and risk toleranceretention or retrieval capabilities, firms typically work with third-party at that moment in time. As a best practice, firms typically prohibitvendors to meet recordkeeping requirements. recommending specific products, unless a registered principal of the firm has approved the communication. Communications with the Public Firms need to adhere to content standards for all communications. For example, they must disclose all the facts, cannot be misleading, nor can guarantee results. Testimonials are only allowed in certain circumstances for RRs. As a best practice, firms typically monitor communications to make sure content standards are being adhered to and also disable the ability to make recommendations and, in some cases, to “like.” 5 Insurance and Social Media | 5
  4. 4. Firms also need to make sure communications are reviewed, either before or Supervision after they are made public, depending on how they are categorized and on As with any type of electronic communications (such as email or instant the content. Static content, such as an advertisement, brochure, or profile messages), firms must demonstrate that they are supervising communications on a social media site, needs to be pre-approved by a registered principal of to ensure adherence with content standards. Regulators do not specify the firm before it is made public. However, interactive communications, such what percentage of communications must be reviewed. Instead, FINRA as real-time interactions, may not require pre-approval, but a pre-determined allows firms to use a risk-based approach, i.e., firms create supervision percentage of them must be supervised. Both static and interactive com- policies based on their own tolerance for risk, the type of content, plus munications must meet content standards and be supervised. Furthermore, compliance history of staff. However, FINRA does specify those associated all communications must be captured and retained. As a best practice, as persons who use social media must first receive training. As a best practice, communications rules are fairly complex and their interpretation is evolving, firms develop and follow risk-based written supervisory procedures to ensure firms typically confer with their compliance department to develop processes processes are in place to pre-approve static and product-related content. for review and approval of content, either before it is posted or after, depending For interactive content that does necessarily require pre-approval, firms 4 on the content of the communications and the firm’s risk tolerance. determine how, when, and what percentage of content will be reviewed and then develop training programs for everyone who will be using social media. Firms are not responsible for third-party content unless they have involved themselves in the preparation of the content or explicitly or implicitly en- dorsed or approved the content. As a best practice, firms should establish and publish usage guidelines for customers and other third parties that are permitted to post on firm-sponsored websites. Firms should also monitor and block inappropriate third-party content and provide disclaimers regarding its responsibility for third-party posts. As retweeting, “liking,” or marking as “favorite” could be considered an endorsement of the post, firms typically block these capabilities.6 | Insurance and Social Media 7 Insurance and Social Media | 7
  5. 5. The Securities and Exchange Commission (SEC) On January 4, 2012, the SEC issued the National Examination Risk Alert, Third-Party Postings 5 Investment Advisor Use of Social Media . SEC staff of the Office of Compliance The SEC further states that firms which allow third-party postings on their Inspections and Examinations stated that firms’ use of social media must social media sites should develop policies about these third-party posts, comply with federal securities laws, including anti-fraud provisions, particularly testimonials. Whether a third-party posting is a testimonial compliance provisions, and recordkeeping. Furthermore, the SEC noted depends on all the “facts and circumstances,” however, SEC staff interprets that many firms have overlapping procedures that apply to advertisements, the term to include clients’ experiences with, or endorsement of, an IA. i.e., client communications which may or may not include social media. Therefore, the use of “social plug-ins” such as the “Like” button could be They warned that this lack of specificity creates confusion. The SEC also interpreted as a testimonial under the Advisers Act, if it’s an explicit or stated that firms should identify risks and then test whether their in-house implicit statement of a client’s experience with an advisor. In cases where policies and procedures effectively address these risks. social media sites do not allow the ability to disable “Like” or similar features, RIAs should develop a system to monitor and remove certain third- Factors to Consider Before Implementing Social Media party postings. Best Practice: to avoid the interpretation of a testimonial, The SEC identified thirteen factors that an investment advisor may want firms typically disable “Like” and “Recommendations” when possible. to consider when evaluating the effectiveness of its compliance program. Factors include clearly establishing usage guidelines, thinking through Recordkeeping how you will monitor social media sites as well as how often. For example, The final section of the alert concerns recordkeeping. The existing Advisers the SEC warned that due to the viral nature of social media, post-review Act defines recordkeeping requirements for IAs. In short, like FINRA and (e.g., days later) may not be sufficient. The SEC also suggests that firms IIROC in Canada, the SEC does not treat social media any differently than design and implement workflows for pre-approving content and to train and any other written communications, such as emails or instant messages. certify investment advisors on the use of social media. Also important, firms Furthermore, like the other regulators, content is determinative – meaning that should determine in advance whether there are enough resources dedicated the content will determine the recordkeeping requirements. The SEC and the to monitoring activity. Like other regulators, such as FINRA and the Invest- other regulators are only interested in business communications “as such.” ment Industry Regulatory Organization of Canada (IIROC), the SEC points All social media communications (e.g., status updates, direct messaging, out the importance of training and suggests examining the functionality texting, etc.) must be retained and be easily available for inspection for at of each social media site to ensure client privacy. The SEC made special least five years. The SEC also states that firms should conduct employee train- mention about the risks of data security, as social media can render ing programs specifically for recordkeeping requirements and do spot checks firms more vulnerable to data leakage and malware. Best Practice: the to ensure employees are complying with the policies. These records should be SEC suggests that each firm identify and thoughtfully think through the indexed in such a way that they are easily retrievable. Best Practice: as the compliance factors that may create risk for the firm and then test whether SEC suggests, firms should consider using third parties for record retention. existing policies and procedures address or mitigate those risks. 8 | Insurance and Social Media 9 Insurance and Social Media | 9
  6. 6. Massachusetts Issues Regulatory Guidanceon Social Media Summary Early in 2012, the Massachusetts Securities Division of the Commonwealth Although there are subtle, but important, differences in the interpretation of 6 of Massachusetts provided regulatory guidance on social media. While the rules (e.g., pre- and post-approval of content, the use of testimonials, and Division’s alert applies only to state-registered investment advisors, it is circumstances where firms are responsible for third-party content) across all worth noting as regulators tend to look to each other when issuing guidance the regulators, the overall tone of regulatory guidance is fairly consistent. on new areas of compliance. The essence of this guidance echoes SEC, Firms need to adhere to all recordkeeping and supervisory requirements and FINRA and NAIC: have the appropriate processes and policies in place to ensure compliance. Anything short of that may generate negative regulatory scrutiny and •• Social media is considered advertising and subject to applicable possibly risk the reputation of the firm. regulatory requirements. •• Recordkeeping obligations under the Adviser’s Act and other applicable Massachusetts regulations includes content on social media sites. •• According to adoption and entanglement theories discussed above, firms may be responsible for third-party content. •• Testimonials are prohibited. •• Full and fair disclosure of all material information relating to advertised performance is required. Investment advisors are advised to consider the appropriateness of social media for performance advertising. •• Firms must establish and maintain a system to supervise the activities of investment advisors and other employees to ensure compliance. 10 | Insurance and Social Media 11 Insurance and Social Media | 11
  7. 7. Best Practices Overview • Firms should develop workflows that facilitate the pre-approval of • Firms should establish and publish usage guidelines for customers static content and the supervision and moderation of interactive content. and other third parties that are permitted to post on firm-sponsored websites. Firms should also monitor and block inappropriate third-party • To avoid being responsible for third-party content, firms often disable the content and provide disclaimers regarding its responsibility for third-party use of “retweet” or “favorite” within social media sites. posts. As retweeting, “liking,” or marking as “favorite” could be considered an endorsement of the post, firms typically block these capabilities. • Firms need to design risk-based supervisory procedures to ensure compliance with content standards that may include sampling and • Firms develop and follow risk-based written supervisory procedures lexicon-based automated searches, typically by working with a third party. to ensure processes are in place to pre-approve static and product-related content. • As native social media sites do not provide retention or retrieval capabilities, firms typically work with third-party vendors to meet • For interactive content that does necessarily require pre-approval, recordkeeping requirements. firms determine how, when, and what percentage of content will be reviewed and then develop training programs for everyone who will • Since social media sites do not offer recordkeeping capabilities natively, be using social media. firms are challenged to find another solution, typically by working with a third-party vendor(s). • The SEC suggests that each firm identify and thoughtfully think through the compliance factors that may create risk for the firm and • Firms typically prohibit recommending specific products, unless a then test whether existing policies and procedures address or registered principal of the firm has approved the communication. mitigate those risks. • Firms typically monitor communications to make sure content • To avoid the interpretation of a testimonial, firms typically disable standards are being adhered to and also disable the ability to make “Like” and “Recommendations” when possible. recommendations and, in some cases, to “like.” • As the SEC suggests, firms should consider using third parties for • As communications rules are fairly complex and their interpretation record retention. is evolving, firms typically confer with their compliance department to develop processes for review and approval of content, either before it is posted or after, depending on the content of the communications and the firm’s risk tolerance. 12 | Insurance and Social Media 13 Insurance and Social Media | 13
  8. 8. Socialite References The Socialite platform helps organizations protect their brand and ensure 1 http://www.naic.org/documents/committees_d_social_media_exposures_111201_whitepaper_draft_social_ media.pdf compliance while allowing employees to share relevant content, measure 2 FINRA Regulatory Notice 10-06, “Guidance on Blogs and Social Networking Web Sites,” impact, and increase engagement. Socialite controls access to more than http://www.finra.org/Industry/Regulation/Notices/2010/P120760 200 features across social networks but can also moderate, manage, 3 FINRA Regulatory Notice 11-39, “Guidance on Social Networking Websites and Business Communications” and archive any social mediatraffic routed through the solution. http://www.finra.org/Industry/Regulation/Notices/2011/P124187 4 For more information detailed recommendations, see Actiance Addressing FINRA Regulations for Social Media 5 SEC National Examination Alert, Investment Advisor Use of Social Media http://www.sec.gov/about/offices/ About Actiance ocie/riskalert-socialmedia.pdf 6 http://www.sec.state.ma.us/sct/sctpdf/The%20Use%20of%20Social%20Media%20by%20Investment%20 Advisers.pdf Actiance helps organizations manage, secure and ensure compliance across unified communications, collaboration, and Web 2.0 applications such as blogs, wikis and social networks. Actiance’s award-winning platforms are used by 9 of the top 10 US banks and nearly 300 FINRA-regulated firms firms globally. The Actiance platform allows organizations to gain visibility of applications in use, apply usage and content policies, ensure compliance, and gain valuable insights across the communications and collaboration channels in use. Actiance supports all leading social networks, unified communications, and collaboration providers and IM platforms, including Facebook, LinkedIn, Twitter, Google, Yahoo!, AOL, Skype, Cisco, Microsoft, Jive, and IBM. Actiance is headquartered in Belmont, California. For more information, visit www.actiance.com or call 1-888-349-3223. 14 | Insurance and Social Media 15 Insurance and Social Media | 15
  9. 9. Worldwide Headquarters EMEA Headquarters1301 Shoreway, Suite 275 400 Thames Valley ParkBelmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK(650) 631-6300 phone +44 (0) 118 963 7469 phoneinfo@actiance.com emea@actiance.comThis document is for informational purposes only. Actiance makes no warranties, express or implied,in this document.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rightsunder copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system,or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise),or for any purpose, without the express written permission of Actiance, Inc.© 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarksof Actiance, Inc. Actiance Vantage, Unified Security Gateway, Socialite, and Insight are trademarks ofActiance, Inc. All other trademarks are the property of their respective owners.

×