True Compliance for Social Media


Published on

Financial Services industry recognizes that social media is a powerful, cost-effective channel to reach new customers and strengthen existing relationships. However, enabling the use of social within a corporate environment also has compliance and security implications.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

True Compliance for Social Media

  1. 1. TrueCompliance for Social Media ™When”good enough” is not enough
  2. 2. Introduction It is no secret that social media within the financial services industry has exploded over the last few years. The industry recognises that social media is a powerful, cost-effective channel to reach new customers and strengthen existing relationships. However, enabling the use of social within a corporate environment also has compliance and security implications. Existing Financial Services Authority (FSA) rules still apply, and the regula- tor has issued additional guidelines on the use of social over the last couple years. There is of course other European legislation to be considered such as MiFID and PCI. Moreover, all these different social media channels today represent attractive avenues for hackers to unleash viruses and other types of malware on unsuspecting users. So, although the benefits of social are massive, organisations need to ensure they have the appropriate technology solutions in place to address these compliance and security concerns.
  3. 3. Compliance Requirements for Financial Services Let’s take a closer look at the FSA’s guidelines. In its Financial Promotions • Guaranteed message order preservation: Given the interactive nature Industry Update No 5 the FSA noted that all electronic communications of social media, retaining the context of blogs and their comments, shared via the internet should still be governed by High Level Standards Facebook chat conversations, and LinkedIn Group discussions is vital. and Business Standards. Within these regulations there are two main areas Without context, firms face the daunting prospect of having to piece that need consideration when using social media. together one conversation from a vast repository of data. Recordkeeping • Non-repudiation: This refers to proof of the integrity and origin of SYSC 9.1 General rules on record-keeping states that “A firm must arrange data. With so many hackers and sophisticated schemes to deceive users, for orderly records to be kept of its business and internal organisation, data authenticity is a key consideration. including all services and transactions undertaken by it, which must be sufficient to enable the FSA or any other relevant competent authority under Supervision MiFID to monitor the firm’s compliance with the requirements under the FSA regulated firms should review items such as LinkedIn Profiles regulatory system.” This includes content such as LinkedIn Profile edits, and Facebook Profiles since they could be considered “advertisements” Facebook posts, and Tweets are all subject to recordkeeping rules. subject to pre-approval by an authorized person. In addition, ICOBS 2.4, MCOB 3.10 and COBS 4.11 state that adequate Some specific facets of supervision that firms must incorporate include records of financial promotions must be kept. COBS 4.11.1 (1) specifically the following: says “it communicates or approves,” potentially implying that even unau- thorised communication needs to be recorded. • Real-time content review: COBS 4.10.3 and MCOB 3.11.1 prohibits unauthorised personnel from sending out financial promotions without Some specific facets of recordkeeping that firms must incorporate include prior approval from the FSA registered firm. Under Update number 5 the following: this includes Tweets, status updates and LinkedIn Posts. • Tamper-proof archiving: Electronic records must be preserved exclusively • Monitoring of links to third-party sites: Hyperlinks can be considered in a non-rewriteable and non-erasable format. This means that data must inducements depending on the prominence and type of link eg clicking be delivered to a customer’s archiving system in its original form. on a logo. Links to third party sites are not normally considered a financial promotion, unless there is an agreement between the two to procure users. 4 | TrueCompliance for Social Media 5 | Social Media Success True Compliance for Social Media | 5
  4. 4. Addressing the Requirements So, what must firms do to properly address the requirements outline above? Capture as much as possible The following are some key considerations: The FSA and MiFID require firms to capture all business-related communi- cations. With the proliferation of smartphones nowadays, it is essential for Pre-review certain communications firms to have policies and technology in place to accommodate the reality of There are some aspects of social media sites that unequivocally require employees using personal devices for business-related communications. pre-approval by an authorised person. For instance, a tweet that could be deemed a financial promotion posted by an unauthorised person. Regarding Authenticity of data general tweets or Facebook posts, the FSA leaves it up to the individual firm Firms must store social media content in tamper-proof repositories, such to decide its policy based on its risk-tolerance profile. that data integrity is not compromised. Message order preservation and guaranteed delivery to the customer’s archive are two such ways to ensure Feature access controls authenticity of data. Since some social media features may invoke the “inducement” or “procurement” theories, controlling individual features, such as Facebook Likes, LinkedIn Recommendations, or Twitter Retweets, becomes critical. Being able to pick and choose the allowable features gives firms the flexibility to enable the use of social without having to worry about the “inducement” issue. Tracking user activities Establishing a complete audit trail of a user’s interaction with a given social media site comes into play in both regulatory and legal inquiries. For instance, say there’s a lawsuit involving the social media activities of John Smith while he was at work on a corporate-owned device. Counsel for both sides would be very interested in knowing what Smith was doing from 10am-11am while on Facebook. Did he upload any content? Did he delete any content? What other areas (e.g., Photos, Groups, Discussion boards, Chat) did he visit during that one hour? Did he post content to other sites from Facebook? The user activity history thus becomes very relevant. 6 | TrueCompliance for Social Media True Compliance for Social Media | 7
  5. 5. Potential Technology Solutions Solutions that enable compliance for social media generally take one of two All user activities can be logged (e.g., a user’s entire Facebook session can technology approaches: the API and the proxy. be captured with all the associated metadata) and archived. Pre-review capa- bilities and blocking/allowing access to specific features of a social network The API (e.g., Facebook Like, LinkedIn Recommendation, Twitter Retweet) are also Each social network (e.g., Facebook, LinkedIn, and Twitter) makes its API made possible with the proxy. Most importantly, a proxy eliminates the API’s available to third-party developers. Each API is a little bit different. For “window of vulnerability” due to the former’s real-time capture of data. instance, each social network allows calls to its API (“API calls”) only a limited number of times per day. That number depends on several factors, such as the number of employees at the company calling the API. It also means that capture is NOT done in real-time. In the period between each of these API calls, comments or posts on, say, Facebook can be edited or deleted. These edits and deletions are just as important as the initial posts themselves. Regulatory bodies like the FSA are interested in the deleted content as much as the content that remains unchanged. This period between API calls is that “window of vulnerability” that opens the door to potential non-compliance, putting the firm at risk for sanctions or other penalties. The Proxy This approach entails the routing of social media traffic through a technol- ogy vendor’s solution, be it through proxy-forwarding rules or a proxy auto- configuration (PAC) file. Either way, the technology vendor sees all the traffic in real-time, as it happens. It offers the most granular controls available for users on a corporate-managed device or network. 8 | TrueCompliance for Social Media 9 | Social Media Success True Compliance for Social Media | 9
  6. 6. The Best Practice Solution About Actiance Given the stringent requirements regulatory governance, firms must Actiance is the only technology vendor in the market that utilizes both leverage both approaches to ensure complete compliance. On their own, the API and proxy methods to ensure its customers remain compliant. the API and proxy are not enough to remain compliant. The best practice, In fact, Actiance is the only vendor offering TrueCompliance, TM therefore, is to use BOTH, so that a firm can confidently meet all of its a collection of features that support the strictest requirements of compliance requirements (see table below). social media compliance: Requirement Detail Example Proxy API • Tamper-proof archiving Supervision Pre-review LinkedIn Profile edits Yes No • Guaranteed preservation of message/conversation order (context) Supervision Feature access controls Block Facebook Like Yes No • Guaranteed data delivery to customer’s archiving system Recordkeeping Real-time capture of ALL Archive all tweets, Facebook Yes No • Guaranteed non-circumvention content while on corporate- posts, LinkedIn updates done managed network or device from a work laptop • Real-time content filtering with advanced pattern matching, Recordkeeping Logging of user activities Track user movement from Yes No blocking and scanning (supervision) LinkedIn Homepage to join- ing LinkedIn Group to trying to make a Recommendation Recordkeeping Capture of content regard- Capture business-related No Yes less of device or location tweet made from a personal iPhone Recordkeeping Automatic removal of inap- Removal of offensive joke No Yes propriate content from company Facebook page 10 | TrueCompliance for Social Media 11 | Social Media Success True Compliance for Social Media | 11
  7. 7. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone This document is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc. © 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage, Unified Security Gateway, Socialite, TrueCompliance and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.12 | TrueCompliance for Social Media