9 Keys to FINRA BlessingEnterprise Social Software Use
ContentsExecutive Summary...........................................................................3Growth of Enterprise ...
Executive SummaryIn January 2010, the Financial Industry Regulatory Authority (FINRA)issued Regulatory Notice 10-06, its l...
Growth of Enterprise Social Software    Over the past decade, organizations have been shifting an increasing    number of ...
Regulation or            Impact Rule Gramm-Leach-Bliley       Information protection, monitor for sensitive content and en...
Similarly, in 2012, the SEC filed an enforcement action against Anthony    Fields, an Illinois-based investment advisor, a...
Unlike many other industries, registered representatives are duty-bound tofollow the rules and regulations surrounding ele...
Compliance considerations    •• Regulatory Notice 10-06 does pave the way for registered         representatives to partic...
•• An enterprise should standardize on its use of electronic    communications tools, including social applications, for i...
Compliance recommendations     Enterprises should deploy a central archiving system that enables     easy review of posted...
•• Though it is easy for a registered representative to recognize in a    one-to-one instant message conversation whether ...
Regulatory Notice 11-39 (Social Media Websites and Use of     Personal Devices)     In this notice, FINRA provides further...
How Actiance Meets FINRA Compliance RequirementsVantageVantage is Actiance’s governance solution for enterprise social sof...
Nine Steps to ESS Compliance     1.	 Gain visibility into all communications tools          The first step in any security...
6.	 Enable content filtering    Ensure content posted and messages sent can be monitored where    necessary. Use lexicons ...
malicious leakage of information. Actiance supports all leading social       media, unified communications, collaboration,...
Upcoming SlideShare
Loading in …5
×

9 Keys to FINRA Blessing Enterprise Social Software Use

1,655 views

Published on

Enterprise social software is on fire. Financial services organizations have jumped on the bandwagon and are beginning to use platforms like Jive, SharePoint, Connections, Yammer, and others to collaborate and enhance productivity. But, lurking in the shadows is the Financial Industry Regulatory Authority (FINRA) whose Regulatory Notices 10-06 and 11-39 apply equally to these platforms, just as they do to Facebook, LinkedIn, and Twitter, everybody’s social media darlings.
This means that compliance officers and legal counsel have to meet similar governance requirements as the ones for email and IM when deploying social software technologies.

This whitepaper details:
• Key rules, guidelines, and notices that impact FINRA member firms’ use of enterprise social software
• Potential risks of social software use
• 9 tips on how firms can utilize social software without incurring FINRA’s wrath

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,655
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

9 Keys to FINRA Blessing Enterprise Social Software Use

  1. 1. 9 Keys to FINRA BlessingEnterprise Social Software Use
  2. 2. ContentsExecutive Summary...........................................................................3Growth of Enterprise Social Software..................................................4Compliance Risks..............................................................................4 Regulatory Risks...............................................................................5 Legal Risks.......................................................................................6 User Behavior and Policies.................................................................6Key Rules.........................................................................................7 FINRA Rule 2210 (Communications with the Public)............................7 NASD Rule 3010 (Supervision)...........................................................8 FINRA Rule 4511 (Books and Records)...............................................9Key FINRA Notices..........................................................................10 Regulatory Notice 07-59 (Supervision of Electronic Communications)............................................................................10 Regulatory Notice 10-06 (Social Media Websites)..............................11 Regulatory Notice 11-39 (Social Media Websites and Use of Personal Devices)............................................................................12How Actiance Meets FINRA Compliance Requirements.......................13 Vantage..........................................................................................13Nine Steps to ESS Compliance.........................................................14About Actiance................................................................................15 | Privacy Controls for Facebook
  3. 3. Executive SummaryIn January 2010, the Financial Industry Regulatory Authority (FINRA)issued Regulatory Notice 10-06, its latest guidance in a series onelectronic communications specifically related to social media websites.The growth in social networking is huge and is now matched by theadoption of enterprise social software (ESS). Organizations are deployingESS for their employees, partners, and customers to accelerate businessprocess through improved collaboration and expertise discovery. A socialbusiness embraces networks of people to create business value. They dothis by deepening their relationships with customers, driving operationaleffectiveness, and optimizing their workforce.With the publication of FINRA Regulatory Notice 10-06, complianceofficers now know that they have to meet similar requirements thathave existed for email and instant messaging when evaluating socialsoftware technologies. This whitepaper sets out some of the key rules,guidelines, and associated risks for FINRA member firms and suggestsways that organizations can use technology to protect themselves and theirregistered representatives. 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 3
  4. 4. Growth of Enterprise Social Software Over the past decade, organizations have been shifting an increasing number of enterprise tasks and content over to collaboration platforms like Jive, SharePoint, Connections, Yammer, to name a few. Additionally, enterprises are now leveraging these platforms’ social media capabilities, such as exchanging documents, posting blog entries, and soliciting feedback (i.e., basically anything that facilitates collaboration and enhances employee productivity). The growth of these platforms is reflected in the following data points: •• Enterprise Social Software space is expected to reach $2 billion by 2014 (Source: IDC). •• Among all of Microsoft’s server offerings, SharePoint achieved $1 billion in annual revenue in the shortest amount of time. •• Microsoft acquired Yammer for $1.2 billion (June 2012). •• 61% reduction in time spent on compliance activities through the use of social software (Deloitte Center for the Edge Study, March 2011). The bottom line is that many stakeholders have benefited from the growth of social business platforms. Compliance Risks The risks that ESS tools pose are very similar to those of other electronic communications like email: non-compliance with government and industry regulations and substantial litigation and eDiscovery costs. Just like email, the principles for applying policies and remaining compliant remain the same. A sampling of regulations and statutes outside of FINRA guidelines that relate to the governance of ESS content are listed here:4 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  5. 5. Regulation or Impact Rule Gramm-Leach-Bliley Information protection, monitor for sensitive content and ensure Act (GLBA) not sent over public channels (e.g., Twitter). Investment Advisers Investment advisers are prohibited from publishing, circulating, or Act of 1940 distributing any advertisement which refers, directly or indirectly, to any testimonial of any kind concerning the investment adviser or concerning any advice, analysis, report, or other service rendered by such investment adviser. SEC 17a-3 and 17a-4 Specifies the types of electronic records that must be preserved. Also specifies the manner and length of time that the records maintained by broker-dealers must be preserved. PCI Ensuring cardholder data is not sent over unsecured channels and proving it has not occurred. Federal Rules of Civil Email and IM are ESI (Electronically Stored Information). Posts to Procedure (FRCP) social media sites must be preserved if reasonably determined to be discoverable. Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company reporting. This means all IM and social media “conversations” are relevant.Regulatory RisksThe problem for regulated financial institutions is that inappropriate useof such widely available communications and collaboration tools can meannon-compliance with government and industry regulations, resulting inhefty fines, potential loss of business, and fraud.In 2011, FINRA discovered that Jenny Ta, a registered broker inCalifornia, failed to inform a registered firm principal that she had aTwitter account, which she used periodically to tout a specific stock.Moreover, FINRA found that her tweets often predicted an imminent priceincrease and that she didn’t disclose her family’s substantial position inthat stock – all of which violated FINRA rules. She got caught and wasfined $10,000 and suspended for a year. 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 5
  6. 6. Similarly, in 2012, the SEC filed an enforcement action against Anthony Fields, an Illinois-based investment advisor, accusing him of making “fraudulent offers” of more than $500 billion in “fictitious securities through various forms of social media,” namely, LinkedIn. Legal Risks Virtually all company data is subject to discovery should legal action be taken, including communications traffic over blogs, wikis, discussion forums, bookmarks, social media, and unified communications. At the end of the day, these are all simply forms of “electronic communications.” The process of archiving, storing, and making these conversations and posts easily retrievable for not just regulatory compliance, but also for legal holds and eDiscovery purposes, is made complex by the multi- dimensional nature of these conversations. For example, a wiki or blog post can include numerous contributors and respondents, each one commenting, replying, deleting, and editing content. In essence, this dynamic interchange of content underscores the importance of context. For instance, who said what and when, and did he or she edit or delete any comments? This chronology and context is thus very crucial. User Behavior and Policies Social communities, wikis, profiles, and blogs offer huge productivity benefits when used in the context of business processes, but they also require comprehensive governance and usage guidelines. These guidelines can be added to existing Acceptable Use Policies (AUPs) for other electronic communications or IT equipment. Well-constructed social computing guidelines can help educate employees about the appropriate uses of these applications. Employees have to understand that they are responsible for the content they share, should respect opinions of others, and must protect confidential information.6 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  7. 7. Unlike many other industries, registered representatives are duty-bound tofollow the rules and regulations surrounding electronic communications.For this reason, it is very important to have good communication andeducation components in your social software deployment plan. Theconcepts are not complex; they just need to be communicated clearly toestablish acceptable behavior. It is also a best practice to establish asocial computing subject matter expert to answer any questions about theguidelines and the desired behavior.Key RulesFINRA Rule 2210 (Communications with the Public)In February 2013, FINRA replaced NASD Rules 2210 and 2211 andNYSE Rule 472 with FINRA Rule 2210, which governs communicationswith the public. The new rule reduces the number of communicationscategories from six to three, two of which pertain to social media:CorrespondenceCorrespondence includes any written (including electronic) communicationthat is distributed or made available to 25 or fewer retail investors withinany 30 calendar-day period.Retail communicationRetail communication includes any written (including electronic)communication that is distributed or made available to more than 25 retailinvestors within any 30 calendar-day period. A “retail investor” includesany person other than an institutional investor, regardless of whetherthe person has an account with the firm. Communications that formerlyqualified as advertisements and sales literature generally now fall underthe definition of “retail communication.” 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 7
  8. 8. Compliance considerations •• Regulatory Notice 10-06 does pave the way for registered representatives to participate in real-time communications, but care still needs to be given to the content of the message. •• Under FINRA 2210, communications with the public must be based on the principles of fair dealing; misleading statements, exaggerated claims, and predictions of investments are strictly forbidden. •• Sharing or republishing a comment from a third party is likely to be considered an endorsement, as is “Liking” a comment on Jive or Salesforce Chatter, thus caution is urged. Compliance recommendations Given that human error or judgment is frequently found to be a contributing factor in most adverse situations, organizations began implementing content filtering systems for their email platforms a long time ago. Companies need to implement a solution that provides content filtering for messages posted to a wide range of real-time communications tools, including ESS to ensure that all messages are appropriate. NASD Rule 3010 (Supervision) “Members must establish, maintain and enforce written procedures for communications”; the inclusion of electronic communications was confirmed in Notice 99-03. Furthermore, 10-06 reminds members that under NASD Rule 3010 members must supervise social media communications “in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA’s communications rules.” Compliance considerations •• It is not possible to supervise communications if the organization does not have visibility of all electronic communications tools in use on its network.8 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  9. 9. •• An enterprise should standardize on its use of electronic communications tools, including social applications, for its employees and customers to meet collaboration requirements. This will decrease the temptation to download other applications that may have been specifically designed to avoid detection by traditional security measures.Compliance recommendationsIn order to be able to enforce communications policies, enterprises needto implement technology that is able to provide visibility into all ESS toolson the network and the ability to block or control their usage.FINRA Rule 4511 (Books and Records)Firms are obligated to: (1) make and preserve books and records asrequired under FINRA and SEC rules; and (2) preserve the books andrecords in a format and media that complies with SEC Rule 17a-4.Requires firms to preserve for a period of at least six years FINRA booksand records for which there is no specified retention period underapplicable FINRA or SEC rules.Compliance considerations• ESS platforms offer little to no native archiving functionality, making itdifficult to comply with FINRA or SEC rules that require, if appropriate,the review “by a supervisor of employees’ incoming, outgoing and internalelectronic communications.”• Native archiving functionality offered by ESS is rarely able to provide agranular breakdown of conversations by persons (including buddynames),key phrases, and timeframes, which are essential for compliance andeDiscovery requirements.• This is further complicated by the multitude of modalities used inconversations - from IM to blogs to wikis. 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 9
  10. 10. Compliance recommendations Enterprises should deploy a central archiving system that enables easy review of posted messages and detailed analysis of electronic conversations, including file downloads both internally and externally, complete with an audit trail of the auditor reviewing the information. In addition, the information should include who joined a conversation, when and when they left, any disclaimers shown (at the beginning of a conversation, for instance), and call detail records for voice calls, group meeting sessions, etc. Key FINRA Notices Regulatory Notice 07-59 (Supervision of Electronic Communications) In the ever-expanding role of electronic communications in Regulatory Notice 07-59, Supervision of Electronic Communications, FINRA suggests that members consider taking steps “to reduce, manage or eliminate potential conflicts of interest, to prevent electronic communications between certain individuals/groups or monitoring communications as required by FINRA rules.” Compliance considerations •• In certain situations, there may be a requirement to restrict electronic conversations between internal personnel, such as between non- research and research departments. In addition, there may be a requirement to restrict electronic communications between specific persons from different organizations, while still allowing broad communication with others.10 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  11. 11. •• Though it is easy for a registered representative to recognize in a one-to-one instant message conversation whether or not they should be talking to the individual, with the popularity of features such as discussion forums within a community, it is now a considerable risk.Compliance recommendationsImplement ethical walls at both a group and domain level to ensure thatconflicting personnel do not accidentally “meet” electronically and tomaintain a full audit trail that clearly displays when an individual joined ameeting and subsequently left. In addition, the use of disclaimers when amember joins a meeting can help to reinforce the message.Regulatory Notice 10-06 (Social Media Websites)The release of Regulatory Notice 10-06 from FINRA makes it very clearthat all electronic communications shared via the Internet should betreated in just the same way as if it were shared in person or in non-electronic written communications.Compliance considerations•• Social media is a dynamic medium that relies on real-time (or near real-time) interaction between participants to be a useful resource for information and communication. Allowing unfiltered access raises the possibility of an employee accidentally or deliberately saying something inappropriate.•• Moderating every post manually will increase the overhead of using social media and may also add an element of delay to the “conversation” that offsets the benefit of using the medium.Compliance recommendationsEducate users to understand what is considered appropriate content.Implement filters or moderation processes that can control the contentposted to external social media sites. 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 11
  12. 12. Regulatory Notice 11-39 (Social Media Websites and Use of Personal Devices) In this notice, FINRA provides further guidance for firms on applying rules governing communications with the public when using social media. In short, firms are reminded that existing rules for recordkeeping, suitability, supervision and content requirements all apply to social media. Additionally, FINRA clarified the following points: •• The content of the communication is determinative, not the communication channel. •• A firm is subject to the “adoption” and “entanglement” theories regarding third-party posts. •• Business communications over personal devices must be retained, retrievable, and supervised. Compliance considerations •• Mobile devices are increasingly being used for business communications, which means they are subject to regulatory requirements, even if the device in question is a personal device. Compliance recommendations Create or revise policies to incorporate business communications conducted over personal devices. Implement technology solutions to ensure that such communications are captured for recordkeeping purposes.12 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  13. 13. How Actiance Meets FINRA Compliance RequirementsVantageVantage is Actiance’s governance solution for enterprise social software. Itcomplements today’s archiving systems by providing a level of granularitythat ensures any information governance strategy is executed seamlessly.Actiance’s Collaboration Framework underpins the capture of this wealth ofdata, maintaining the context of conversations and posts and storing themnatively. Additionally, the framework provides organizations the flexibilityof conducting eDiscovery from the Actiance database (thus facilitatingcontextual review), the customer’s own archive, or perhaps from a third-party archive.Today’s archiving solutions just grab all collaboration content withoutproviding any real-time insight into the meaning of the data. Vantage’scontent-inspection technology features real-time alerts to detect potentialloss or exposure of intellectual property and violations of corporate policy,such as the use of inappropriate language (e.g., inflammatory comments).Its policy framework allows granular policies to be defined between groupsof employees, ensuring enterprises remain compliant. All of the availablecompliance controls were designed to address the key government andindustry regulations (e.g., FINRA, SEC, FRCP, Sarbanes-Oxley, FERC).Some key features of Vantage include the following:•• TrueComplianceTM: Tamper-proof archiving of content; Real-time content inspection; Preservation of message or conversation order.•• Real-time alerts: Send real-time alerts based on content detected (e.g., abusive language, trade secrets); Scans content within files.•• Granular policy control: Define capture policies at a granular level to map to compliance or corporate governance standards.•• Contextual capture: Content shown in context of other related items in reviewer UI. 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 13
  14. 14. Nine Steps to ESS Compliance 1. Gain visibility into all communications tools The first step in any security review is to carry out an audit. Even if the use of real-time communications and social applications has been banned within the enterprise, the likelihood is that users will have found a way to circumvent any measures put in place. 2. Develop policies taking into account FINRA guidelines An acceptable use policy (AUP) will let users know exactly what they can and can’t do with respect to ESS applications. Don’t forget to include that the organization has the right to monitor all traffic and to remind registered representatives that they are bound by FINRA regulations, even if they are not using the company network. 3. Implement monitoring technology The only way to see who is using what, how often, and when is to implement monitoring technology. Even if a business chooses to ban specific real-time applications, without monitoring in place, they can never be certain that users are actually complying. 4. Ensure granular access Not all employees need access to every aspect of real-time communications tools or social applications. In the same way organizations block certain file types (e.g., only the marketing department can receive GIFs and JPEGs), consider limiting the various types of real-time communications by job function. 5. Apply policy management and control Apply centralized policy management and control with a single solution for all elements of email, instant messaging, and social applications in use in the enterprise. Use Active Directory integration to set and enforce global, group, and individual-level communications policies.14 | 9 Keys to FINRA-Blessed Use of Enterprise Social Software | Privacy Controls for Facebook
  15. 15. 6. Enable content filtering Ensure content posted and messages sent can be monitored where necessary. Use lexicons to efficiently monitor for sensitive keywords, phrases, and regular expressions.7. Send alerts Limit the potential damage of inappropriate or inflammatory content by utilizing alerts.8. Capture edits and deletes Edits and deletions are just as important as unchanged content. Ensure you have policies and systems in place to record content that was revised or removed.9. Archive Whether you need to retrieve messages for litigation, to substantiate a compliance issue, or just to confirm a contractual modification, all business messages need to be stored securely.About ActianceActiance® is a global leader in communication, collaboration, and socialmedia governance for the enterprise. Its governance platform is usedby millions of professionals across dozens of industries. With the powerof communication, collaboration, and social media at their fingertips,Actiance helps professionals everywhere to engage with customers andcolleagues so they can unleash social business.The Actiance platform gives organizations the ability to ensure compliancefor all their communications channels. It provides real-time contentmonitoring, centralized policy management, contextual capture of contentand smart archiving which improves the efficiency and cost-effectivenessof eDiscovery and helps protect users from malware and accidental or 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 15
  16. 16. malicious leakage of information. Actiance supports all leading social media, unified communications, collaboration, and IM platforms, including Facebook (FB), LinkedIn (LNKD), Twitter, Google (GOOG), Yahoo! (YHOO), Skype, IBM, (IBM), Jive (JIVE), Microsoft (MSFT), Cisco (CSCO), and Salesforce.com (CRM). Actiance is headquartered in Belmont, California.More informationactiance.comsales@actiance.comFollow us facebook.com/Actiance linkedin.com/company/actiance-inc twitter.com/actiance youtube.com/actiance slideshare.com/actiance©2013 Actiance, Inc. All rights reserved. Actiance, the Actiance logo, Socialite, and the Socialite logo are registered trademarksof Actiance, Inc. Vantage is a trademark of Actiance, Inc. All other trademarks are the property of their respective owners.

×