SlideShare a Scribd company logo

Compliance Guide for NFA-Registered Firms

Actiance, Inc.
Actiance, Inc.

The key rules, guidelines and associated risks for NFA registered firms and suggests ways that organizations can use technology to protect themselves and Members. In addition, it looks at some of the other issues that enterprises may encounter when enabling the new internet. In Actiance’s Fifth Annual Internet Usage Survey, which compares IT Estimates against live data from over 200 Actiance deployed appliances, over 99% of end users had adopted social media and Web 2.0 applications to support business processes. Conversely 38% of IT professionals believed there was no social networking present on their network. Enterprise communication tools still have their place within an organization, but users will always look to communicate in the easiest method. If their customer is conversing over Yahoo or Skype, users will try to access the relevant Web 2.0 application. Similarly, social networking sites such as LinkedIn and Twitter are now standard tools for savvy marketers and sales people.

TechnologyBusiness
1 of 13
Download to read offline
WHITE PAPER NFA: SOCIAL NETWORKS MEETING NOTICE I-10-01 COMPLIANCE REQUIREMENTS Compliance Guide for NFA-Registered Firms
WHITE PAPER – NFA Compliance Guide 2 Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Social Networking Does Not Occur in Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Risks Beyond Being Out of Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Inbound Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 User Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 NFA - Key Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Compliance Rule 2-29(h) – Radio and Television advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Rule 2-9 – Supervision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Rule 2-10 – Record Keeping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 NFA - Key Interpretive Notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Notice 9041 - Obligations to Customers and Other Market Participants. . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Notice 9063 – Use of Social Media Web Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 How Actiance Meets NFA Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Socialite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Ten Steps to UC, IM and Web 2.0 Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 About Actiance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 This white paper is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc. © 2001 - 2011 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage, Unified Security Gateway and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc. A-WP-004-NFA-0111
WHITE PAPER – NFA Compliance Guide 3 Executive Summary In January 2010 the National Futures Association (NFA) issued Notice I-10-01, which puts into effect the amendments in how member firms manage and interact with social media as set out in a submission letter to the Commodity Futures Trading Commission (CFTC) in December 2009. There are currently 500 million Facebook users, 75 million members on LinkedIn and 190 million Twitterers. The growth in social networking sites is huge, not least because of the variety of ways it offers for people to communicate, but also the speed, allowing for deals to be closed quickly and information to be relayed without delay. However, when considering the results of a recent survey conducted by Actiance, which showed that Web-based chat was used in 95% of organizations and file sharing tools were found to be present in 74% of locations, it is clear that Notice I-10-01 should not just be taken in isolation when meeting NFA compliance. Enterprises must consider a wider remit that includes Unified Communications, IM and Web 2.0 applications to remain in compliance. Many internet based applications are specifically designed to evade legacy security solutions like URL filters and firewalls, others pose challenges in monitoring content and archiving. However, the benefits from using them are proving so great that it is easy for Members or Associates to forget their compliance obligations. This whitepaper sets out some of the key rules, guidelines and associated risks for NFA registered firms and suggests ways that organizations can use technology to protect themselves and Members. In addition, it looks at some of the other issues that enterprises may encounter when enabling the new internet. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 4 Social Networking Does Not Occur in Isolation It took the humble telephone eighty-nine years to reach the hundred and fifty million users that Facebook achieved in just five. The phenomenal growth of Web 2.0 and social networks has undoubtedly driven the growth in Enterprise Unified Communication (UC) tools such as Microsoft OCS, IBM Lotus Sametime and Reuters Messaging. However, just because an organization has standardized on an Enterprise tool it is not a prerequisite for the elimination of Facebook, LinkedIn and Twitter from the network. In Actiance’s Fifth Annual Internet Usage Survey, which compares IT Estimates against live data from over 200 Actiance deployed appliances, over 99% of end users had adopted social media and Web 2.0 applications to support business processes. Conversely 38% of IT professionals believed there was no social networking present on their network. This same survey showed 53% of end users downloading and using tools such as Facebook and LinkedIn because they “were better than those provided by my employer”. ■ IT Estimates (Survey) ■ Actiance Actual Tracking Data 100% 100 98% 95% 96% 95% 95% 88% 80% 82% 80 74% 66% 64% 60% 60 54% 40% 40 35% 20 15% 10% ng ing ng g agi IM eam eo ring nci rkin r s ess as ed Str io/ Vid V Sha er e t wo P ize dM bB d IPT ile o nf Ne VoI nym tan We Au PF bC ial Ano Ins P2 We So c Source: The Collaborative Internet. Usage Trends, End User Attitudes and IT Impact, March 2010 Enterprise communication tools still have their place within an organization, but users will always look to communicate in the easiest method. If their customer is conversing over Yahoo or Skype, users will try to access the relevant Web 2.0 application. Similarly, social networking sites such as LinkedIn and Twitter are now standard tools for savvy marketers and sales people. The Citi Cards division of Citibank is just one of a number of banks that are already using social networking to build a community around its brand. It has launched a campaign that centers on the power of harnessing a user’s network on Facebook, by offering to donate $50 to charity for every approved credit card application from a user’s “friend”. Bank of America is using Twitter, not to sell, but as an extension of their customer service support answering queries quickly, taking them to a more secure communications channel if sensitive information is required. It also used Twitter to keep customers appraised when the BofA website went down. All these real-time communication applications whether it’s Enterprise 2.0, Web 2.0 or Social Networking are just an extension of normal everyday conversations that used to take place over the phone or email. However, it is not without risk. Many applications and sites use port hopping, protocol tunneling and encryption techniques to enable them to work seamlessly, and frequently undetected, on the network providing an entry point for malware and exit for data leakage. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 5 Risks Beyond Being Out of Compliance The risks that Web 2.0, Social Media and enterprise collaboration tools pose are very similar to those of other electronic communications such as email: malware, data leakage, potential libellous comments, non-compliance with government and industry regulations, and expensive litigation or eDiscovery costs. Just like email, the principles for applying policies and securing these new types of communications remain the same. Most businesses have implemented numerous technologies to counteract the risk associated with email, from content control filters that prevent unsuitable emails from escaping the corporate network to anti malware software that protects both employees and the people they interact with everyday. All backed-up by a fully audited archive. However, unlike email, because Web 2.0, Social Media and Enterprise Communication tools cover such a wide range of modalities, from instant messaging to Twittering and from IPTV to playing games on Facebook, consideration should be given to types of applications, their individual capabilities and the associated risks. The problem for regulated financial institutions is that inappropriate use of such widely available communication and collaboration tools can mean non-compliance with government and industry regulations, resulting in hefty fines, potential loss of business and fraud. In 2005 NYSER fined Schwab $1 million, partly because of its failure to preserve and maintain instant messaging communications via Bloomberg terminals. More recently, Societe Generale lost nearly €4.9 billion in fraudulent trades by a rogue employee that used instant messaging to manage the transactions. News that Zicam, a nasal spray form of cold remedy produced by Matrixx Initiatives, had potentially been found to damage some peoples’ sense of smell was first revealed in Twitter discussions on June 15, 2009. Matrixx’ stock price that day went from $19.24 to $5.78. It’s not been higher than $6.55 since. Data Leakage Incoming Threats Compliance eDiscovery User Behavior Personal Information Malware, Spyware SEC, FINRA Employee Productivity Intellectual Property Viruses, Trojans HIPAA FISMA Bandwidth Explosion Credit Card, SSN Inappropriate Content SOX, PCI Every employee is the face of business Client Records FRCP- eDiscovery Ferc, NERC Web 2.0, social media, and real-time communications risks Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 6 Data Leakage Data leakage through social media and Web 2.0 applications is now a significant threat. In the Actiance Fifth Annual Collaborative Internet survey, 69% of IT respondents reported incidents of malware and/or information leaks due to the use of Internet applications. Viruses were most common at 55 percent, followed by spyware infiltrations at 45 percent – but in new statistics gathered for the first time this year 14% have seen data leakage through social networks. The problem with Web 2.0 applications like IM, Skype and the chat functions within Facebook is that they can easily traverse the network without being seen, potentially allowing credit card details, confidential trading information, client records and the like to leave the organization unauthorized. If these applications cannot be seen then they cannot be managed or secured, resulting in a significant risk of violating compliance. There is also the potential for accidental leakage too and not just from sending an IM to the wrong person. For example, each of the 50,000 applets on Facebook requires users to download a small executable that gives access to a user’s profile, potentially retrieving information and even allowing malware in. Inbound Threats Just like email, malware writers like to make full use of social engineering techniques to persuade users to install their spyware and viruses. One of the main reasons for the bad guys’ success rate is that many users place too much trust in their network. Even though they may not know who their “friends” are in the real world, a feeling of trust builds up over a period of time. This makes users far more likely to click on a link from friend on Facebook, LinkedIn and Twitter than in an email, where most people today are a little more circumspect, particularly if it’s unexpected. Inappropriate content, whether it is a comment that could be construed as advertising or recommendation, a libellous statement about a competitor or just a really humiliating picture on Facebook, if the person is a recognizable employee it could compromise the whole organization. Consideration must also be given to the features within social media sites that can also inadvertently break regulations. Whilst still a theoretical problem, LinkedIn’s Recommendations feature that allows testimonials to be posted to a user’s LinkedIn page likely violates Rule 206(4)-1(a)(1) of the Investment Advisors Act of 1940. This could be a serious problem for any Member who currently has recommendations on their LinkedIn page. Compliance Virtually all company data is subject to discovery should legal action be taken, including communication traffic over Web 2.0, Social Media and UC. At the end of the day, this is all simply electronic communications. In order to comply with most industry and government regulations including NFA, organizations need to demonstrate information control, retention and review. However, in practice not many firms are able log content posted to Facebook, let alone try to control the content of the actual message. The process of archiving, storing and making these conversations and posts easily retrievable for regulatory compliance and legal discovery is made exponentially more complex because of the multidimensional nature of these conversations. For example, a chat conversation can include numerous participants joining at different times, creating a requirement to understand the context surrounding each participants understanding of these conversations – who entered – and left the conversation at what point during the discussion. Within financial industries this is normally taken a step further and the use of ethical walls between business functions is a required element of compliance. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 7 There are additional specific regulations outside of NFA guidelines that relate to Web 2.0, social media and enterprise communications: Regulation Impact Gramm-Leach-Bliley (GLBA) Info protection, monitor for sensitive content and ensure not sent over public channels (ex. Twitter) SEC and FINRA Obliged to store records and make accessible. Public correspondence requires approval, review and retention. Extended to social media. PCI Ensuring cardholder data is not sent over unsecured channels and proving it has not happened. Red Flag Rules Prevent identity theft. Protect IM and Web 2.0 from malware and phishing where users more likely to let down their guard. FRCP (e-Discovery) Email and IM are ESI (Electronically Stored Information). Posts to social media sites must be preserved if reasonably determined to be discoverable. Sarbanes-Oxley - SOX Businesses must preserve information relevant to the company reporting, this includes all IM and social media “conversations”. Canadian Securities Administrators Retain records for two years, in a manner that allows “rapid recovery to a regulator”. Can extend to National Instrument 31-303 (CSA NI) IM and social media. Investment Dealers Association of Demands the retention of records with relation to business activities, regardless of its medium Canada (IDA29.7) of creation. MiFID and FSA - Markets in Financial Specifically requires the retention of electronic communications conversations when trades Instruments Directive (EU) are referenced. Model Requirements for the manage- European requirements that define the functional requirements for the manner in which electronic ment of Electronic Records (MoReq) records are managed in an Electronic Records Management System. User Behavior Web 2.0 and social media offer huge productivity benefits, but that doesn’t mean to say that employees should be given a free rein. Consideration should still be given to whether an employee really needs access to specific applications or be able to transfer certain files types. Members of the marketing team might understand what is appropriate to post to Facebook, or indeed what process to follow to post – but “John” in the mailroom might not. His posts or photographs from weekend parties might not be suitable content. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 8 NFA - Key Rules Compliance Rule 2-29(h) – Radio and Television advertisements Under the proposed changes to Compliance Rule 2-29 (h) the NFA notes that profit claims and other trading recommendations normally associated with radio and television advertisements are starting to appear as podcasts and videos on sites such as YouTube. The rule now includes the words “distributed through media accessible by the public”, requiring that just like other mediums the video should be submitted to the NFA for prior approval at least 10 days in advance. Compliance considerations • Under Rule 29-2 Communications with the Public and Promotional Material misleading statements, mentions of profit without a statement about potential losses and high pressure tactics are strictly forbidden. • Rule 29-2(e) states “Every Member shall adopt and enforce written procedures to supervise its Associates and employees for compliance with this Rule.” Compliance recommendations Given that human error or judgment is frequently found to be a contributing factor in most adverse situations, organizations implemented content filtering for their email systems a long time ago. Companies need to implement a solution that provides content filtering for messages posted to a wide range of real-time communication tools, social networking sites and webmail (e.g., Gmail) to ensure all messages are appropriate. Notification to users about why a particular message was blocked, can help to train individuals further and highlight repeat offenders. Re-enforcing procedures is particularly critical since Interpretive notice 9037 states that should communications be permitted over systems other than those belonging to the firm, they must be treated as its own records with adequate review procedures in place. Rule 2-9 – Supervision “Each Member shall diligently supervise its employees and agents in the conduct of their commodity futures activities for or on behalf of the Member”, the inclusion of email and websites was confirmed in Interpretative Notice 9037, alongside a note that other forms of electronic communication should not be ignored. Interpretive notice 9063 now extends the ruling to specifically include other forms of electronic communications including social media. It also requires that blogs, forums and chat rooms hosted by the Member “where futures or forex are discussed” be supervised. Compliance considerations • It is not possible to supervise communications if the organization does not have visibility of all electronic communication tools in use on its network. • Even if an enterprise has standardized on its use of electronic communications tools, it does not prevent users from downloading other applications. Most real-time communication and Web 2.0 applications have been specifically designed to avoid detection by traditional security infrastructure. Compliance recommendations In order to be able to enforce communication policies, enterprises need to implement technology that is able to provide visibility of all real-time communication tools and Web 2.0 applications on the network and the ability to block or control their usage. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 9 Rule 2-10 – Record Keeping Members must “maintain adequate books and records necessary and appropriate to conduct its business.” This includes promotional material and websites that are intended for viewing by customers. In addition, Interpretive notice 9063, suggests that identification through screen names should also be part of an employer’s policies. Compliance considerations • Social Networking sites such as Facebook offer no native archiving functionality, making it difficult to comply with Rule 2-10 and Rule 2-29 (e) that sets out the requirements for review of all promotional material by a “supervisory employee other than the individual who prepared such material”. • Native archiving functionality offered by UC and other real-time communication tools is rarely able to provide a granular breakdown of conversations by persons (including buddynames), key phrases and timeframes, essential for compliance and eDiscovery requirements. • This is further complicated when a variety of modalities is used in a conversation from IM to Blackberry. Compliance recommendations Enterprises should deploy a central archiving system that enables easy review of messages posted and detailed analysis of electronic conversations including file downloads both internally and externally, complete with an audit trail of the auditor reviewing the information. In addition, the information should include who joined a conversation at which point and when they left, any disclaimers shown (at the beginning of an IM conversation for instance) and CDR information on voice calls, group meeting sessions etc. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 10 NFA – Key Interpretive Notices Notice 9041 – Obligations to Customers and Other Market Participants Trading ahead of customer orders or trading based on non-public information such as a research report not yet released is strictly forbidden for registered as brokers or dealers in security futures products. Notice 9041 recommends that “Members should consider developing and implementing firewalls to isolate specific information within research and other relevant departments of the firm so as to prevent the trading department from utilizing the advance knowledge of the issuance of the research report.” Compliance considerations • In certain situations there may be a requirement to restrict electronic conversations between internal personnel such as non-research and research departments. In addition, there may be a requirement to restrict electronic communication between specific people from different organizations, whilst still allowing broad communication with others. • Though it is easy for a Member or Associate to recognize in a one to one instant message conversation whether or not they should be talking to the individual, with the uptake of services such as Microsoft’s Group Chat it is now a considerable risk. • Multi-party communications such as chatrooms, live meetings etc make it easy for individuals to accidentally infringe NFA and other regulations such as the Commodity Futures Modernization Act of 2000 (CFMA¬). Compliance recommendations Implement ethical walls at both a group and domain level to ensure that conflicting personnel do not accidentally “meet” electronically and maintain a full audit trail that clearly displays when an individual joined a meeting and subsequently left. In addition, the use of disclaimers when using UC platforms such as Microsoft OCS and IBM Lotus Sametime as a member joins a meeting can help to reinforce the message. Notice 9063 – Use of Social Media Web Sites The release of notice 9063 makes it very clear that all electronic communications shared via the internet should be included when considering regulation in particular NFA Compliance Rules 2-29, 2-36, or 2-39. In addition it also makes clear that content posted to third party sites is included in NFA regulations. Compliance considerations • Social media is a dynamic medium that relies on quick interaction between participants to be a useful resource for information and communication. Allowing unfiltered access raises the possibility of an employee accidentally or deliberately saying something inappropriate. • Moderating every post manually will increase the overhead of using social media and may also add an element of delay in the “conversation” that negates the benefit of using the medium. Compliance recommendations Educate users to understand what is considered appropriate content. Implement filters that can control the content posted to sites such Facebook, LinkedIn and Twitter and enable the automation of the moderation process where applicable. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 11 How Actiance Meets NFA Compliance Socialite Socialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular control of Facebook, LinkedIn, and Twitter. Socialite not only controls access to 150 different features across social networks, but can also moderate, manage, and archive any social media traffic routed through the solution, which can either be on-premise or hosted. Socialite includes a number of key features for securely enabling the use of social networks, including: • Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently • Identity management: establishing a single corporate identity and tracking users across multiple social media platforms (e.g., @JohnJones on Twitter is the same as JohnHJones on LinkedIn) • Activity control: managing access to features, such as who can read, like, comment upon, or access specific features • Moderator control: pre-approving content for Facebook, LinkedIn, and Twitter, where content is required to be reviewed by a corporate communications officer or other third party • Granular application control: enabling access to Facebook but not to Facebook Chat or downloading/installing any of the applications in the gaming category • Conversation and content logging: capturing all posts, messages, and commentary in context, including export to an archiving platform of your choice for eDiscovery purposes Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 12 Ten Steps to UC, IM and Web 2.0 Compliance 1. Gain visibility of all communications tools The first step in any security review is to carry out an audit. Even if the use of real-time communications and Web 2.0 applications has been banned within the enterprise, the likelihood is users will have found a way to circumvent any measures put in place. 2. Develop policies under FINRA guidelines An acceptable usage policy will let users know exactly what they can and can’t do using UC, IM and Web 2.0 applications. Don’t forget to include that the organization has the right to monitor all traffic and to remind Members and Associates that they are bound by NFA regulations even if they are not using the company network. 3. Implement monitoring technology The only way to see who is using what, how often and when, is to implement monitoring technology. Even if a business chooses to ban particular real-time application or social networking sites, without monitoring in place they can never be certain that users are complying. 4. Ensure Granular Access Not all employees need access to every aspect of real-time communication tools or Web 2.0 applications. In the same way organizations block certain file types such as only the marketing department can receive gifs and jpegs, consider limiting the various types of real-time communication via job function. 5. Apply policy management and control Apply centralized policy management and control with a single solution for setting and enforcing policy for all elements of Web browsing, UC and IM in use in the enterprise. Use Active Directory integration to set global, group, user level real-time communications policies. 6. Enable Content Filtering Ensure content posted and messages sent via Web 2.0 applications such as Facebook or real-time communication tools such as Skype can be monitored and blocked where necessary. 7. Implement Ethical Walls Prevent Members or Associates from accidentally meeting conflicting personnel within official chatrooms. 8. Use Disclaimer Messages Customizable disclaimer can not only make third parties aware of limitations, they can also be used to remind users of their obligations before entering into discussions. 9. Archive Whether you need to retrieve messages for legal litigation, to prove a point on compliance or just to confirm a contractual change, all business messages need to be stored securely. 10. Don’t forget about malware and data leakage Protect the network by detecting and blocking incoming infections and uncover existing endpoint infections when the spyware starts trying to ‘phone home’. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
WHITE PAPER – NFA Compliance Guide 13 About Actiance Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance of unified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unified communications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft, IBM and Cisco. More Information For more information about Actiance and its solutions, please visit http://www.actiance.com. Worldwide Headquarters 1301 Shoreway, Suite 275 Belmont, CA 94002 USA (650) 631-6300 phone EMEA Headquarters 400 Thames Valley Park Reading, Berkshire, RG6 1PT UK +44 (0) 118 963 7469 phone emea@actiance.com Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.

Recommended

Optimizing the Monetization of a Connected Universe
Optimizing the Monetization of a Connected UniverseOptimizing the Monetization of a Connected Universe
Optimizing the Monetization of a Connected UniverseComverse, Inc.
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise International
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity
 
Get Your Head in the Cloud
Get Your Head in the CloudGet Your Head in the Cloud
Get Your Head in the CloudClaris Networks
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday PrepTenzing Managed IT Services
 
Microsoft Office for the iPhone and iPad
Microsoft Office for the iPhone and iPadMicrosoft Office for the iPhone and iPad
Microsoft Office for the iPhone and iPadPalmetto Technology Group
 
Driving Business Applications with Real-Time Data
Driving Business Applications with Real-Time DataDriving Business Applications with Real-Time Data
Driving Business Applications with Real-Time DataBP Logix
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemMahindra Comviva
 

Recommended

Optimizing the Monetization of a Connected Universe
Optimizing the Monetization of a Connected UniverseOptimizing the Monetization of a Connected Universe
Optimizing the Monetization of a Connected UniverseComverse, Inc.
 
Arise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise EMEA - My Story Video Contest
Arise EMEA - My Story Video ContestArise International
 
Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity Business Confidence Survey Q2 2015 [Infographic]
Insperity Business Confidence Survey Q2 2015 [Infographic]Insperity
 
Get Your Head in the Cloud
Get Your Head in the CloudGet Your Head in the Cloud
Get Your Head in the CloudClaris Networks
 
2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday Prep2014 Ecommerce Holiday Prep
2014 Ecommerce Holiday PrepTenzing Managed IT Services
 
Microsoft Office for the iPhone and iPad
Microsoft Office for the iPhone and iPadMicrosoft Office for the iPhone and iPad
Microsoft Office for the iPhone and iPadPalmetto Technology Group
 
Driving Business Applications with Real-Time Data
Driving Business Applications with Real-Time DataDriving Business Applications with Real-Time Data
Driving Business Applications with Real-Time DataBP Logix
 
Call Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemCall Management Services Should be Part of Every Business Telephone System
Call Management Services Should be Part of Every Business Telephone SystemMahindra Comviva
 
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEsCloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEsEasynet Connect
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0AccelOps
 
OpenStack 101 Presentation
OpenStack 101 PresentationOpenStack 101 Presentation
OpenStack 101 PresentationEVault
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product informationEnterworks Inc.
 
KPN Getronics Portfolio informatie
KPN Getronics Portfolio informatieKPN Getronics Portfolio informatie
KPN Getronics Portfolio informatieKPN Getronics
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discoveryExterro
 
KServe Retail Outlet
KServe Retail OutletKServe Retail Outlet
KServe Retail OutletKallos Solutions Pvt Ltd
 
Actiance handbook FINRA
Actiance handbook FINRAActiance handbook FINRA
Actiance handbook FINRAIvonne Kinser
 
Compliance implications of social media
Compliance implications of social mediaCompliance implications of social media
Compliance implications of social mediaActiance, Inc.
 
Smart Lighting 2012
Smart Lighting 2012Smart Lighting 2012
Smart Lighting 2012n-tech Research
 
Whitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service providerWhitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service providerS. Hanau
 
GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4 GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4 voyna
 
Security Challenges in Cloud
Security Challenges in CloudSecurity Challenges in Cloud
Security Challenges in CloudMarketingArrowECS_CZ
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Intel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specificationsIntel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specificationsdegarden
 
Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7guest0a2cbfba
 
Markets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen SensorsMarkets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen Sensorsn-tech Research
 
121cash mgmt
121cash mgmt121cash mgmt
121cash mgmtNamita Kumari
 
Executive Summary-BIPV Markets
Executive Summary-BIPV MarketsExecutive Summary-BIPV Markets
Executive Summary-BIPV Marketsn-tech Research
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environmentuptime software
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareTyler Shields
 

More Related Content

Viewers also liked

Cloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEsCloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEsEasynet Connect
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0AccelOps
 
OpenStack 101 Presentation
OpenStack 101 PresentationOpenStack 101 Presentation
OpenStack 101 PresentationEVault
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product informationEnterworks Inc.
 
KPN Getronics Portfolio informatie
KPN Getronics Portfolio informatieKPN Getronics Portfolio informatie
KPN Getronics Portfolio informatieKPN Getronics
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discoveryExterro
 

Viewers also liked (7)

Cloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEsCloud Expo May 09 Richard Britton, Cloud Computing for SMEs
Cloud Expo May 09 Richard Britton, Cloud Computing for SMEs
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0
 
OpenStack 101 Presentation
OpenStack 101 PresentationOpenStack 101 Presentation
OpenStack 101 Presentation
 
Managing supplier content and product information
Managing supplier content and product informationManaging supplier content and product information
Managing supplier content and product information
 
KPN Getronics Portfolio informatie
KPN Getronics Portfolio informatieKPN Getronics Portfolio informatie
KPN Getronics Portfolio informatie
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery
 
KServe Retail Outlet
KServe Retail OutletKServe Retail Outlet
KServe Retail Outlet
 

Similar to Compliance Guide for NFA-Registered Firms

Actiance handbook FINRA
Actiance handbook FINRAActiance handbook FINRA
Actiance handbook FINRAIvonne Kinser
 
Compliance implications of social media
Compliance implications of social mediaCompliance implications of social media
Compliance implications of social mediaActiance, Inc.
 
Whitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service providerWhitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service providerS. Hanau
 
GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4 GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4 voyna
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Intel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specificationsIntel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specificationsdegarden
 
Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7guest0a2cbfba
 
Markets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen SensorsMarkets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen Sensorsn-tech Research
 
Executive Summary-BIPV Markets
Executive Summary-BIPV MarketsExecutive Summary-BIPV Markets
Executive Summary-BIPV Marketsn-tech Research
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environmentuptime software
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
IT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsIT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsBoreal Technologies
 

Similar to Compliance Guide for NFA-Registered Firms (20)

Actiance handbook FINRA
Actiance handbook FINRAActiance handbook FINRA
Actiance handbook FINRA
 
Compliance implications of social media
Compliance implications of social mediaCompliance implications of social media
Compliance implications of social media
 
Smart Lighting 2012
Smart Lighting 2012Smart Lighting 2012
Smart Lighting 2012
 
Whitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service providerWhitepaper Availability complete visibility service provider
Whitepaper Availability complete visibility service provider
 
GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4 GoldenGate Fundamentals Student Guide Version 10.4
GoldenGate Fundamentals Student Guide Version 10.4
 
Security Challenges in Cloud
Security Challenges in CloudSecurity Challenges in Cloud
Security Challenges in Cloud
 
Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
Intel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specificationsIntel Core second generation Sandy Bridge new models and specifications
Intel Core second generation Sandy Bridge new models and specifications
 
Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7Idol Server 7.3 Admin Rev7
Idol Server 7.3 Admin Rev7
 
Markets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen SensorsMarkets for Transparent Conductors in Touch Screen Sensors
Markets for Transparent Conductors in Touch Screen Sensors
 
121cash mgmt
121cash mgmt121cash mgmt
121cash mgmt
 
Executive Summary-BIPV Markets
Executive Summary-BIPV MarketsExecutive Summary-BIPV Markets
Executive Summary-BIPV Markets
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
Optimizing the Virtual Environment
Optimizing the Virtual EnvironmentOptimizing the Virtual Environment
Optimizing the Virtual Environment
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
 
Oc130 v4hp3000ug
Oc130 v4hp3000ugOc130 v4hp3000ug
Oc130 v4hp3000ug
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
IT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsIT guide for Vocollect Voice Systems
IT guide for Vocollect Voice Systems
 
Ovc3860 command-list
Ovc3860 command-listOvc3860 command-list
Ovc3860 command-list
 
Aiim
AiimAiim
Aiim
 

More from Actiance, Inc.

The case for social media management and archiving
The case for social media management and archivingThe case for social media management and archiving
The case for social media management and archivingActiance, Inc.
 
Why you need to focus on social networking in your company
Why you need to focus on social networking in your companyWhy you need to focus on social networking in your company
Why you need to focus on social networking in your companyActiance, Inc.
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance, Inc.
 
The impact of the new FRCP amendments on your business
The impact of the new FRCP amendments on your businessThe impact of the new FRCP amendments on your business
The impact of the new FRCP amendments on your businessActiance, Inc.
 
The impact of new communication tools for financial services firms
The impact of new communication tools for financial services firms The impact of new communication tools for financial services firms
The impact of new communication tools for financial services firms Actiance, Inc.
 
Messaging best practices for 2011
Messaging best practices for 2011Messaging best practices for 2011
Messaging best practices for 2011Actiance, Inc.
 
Importance of social media in Pharmaceutical industry
Importance of social media in Pharmaceutical industryImportance of social media in Pharmaceutical industry
Importance of social media in Pharmaceutical industryActiance, Inc.
 
How do you quantify ROI on social media?
How do you quantify ROI on social media?How do you quantify ROI on social media?
How do you quantify ROI on social media?Actiance, Inc.
 
IDC event flash on Socialite launch
IDC event flash on Socialite launchIDC event flash on Socialite launch
IDC event flash on Socialite launchActiance, Inc.
 
Social Media Guidelines for Insurance Industry
Social Media Guidelines for Insurance Industry Social Media Guidelines for Insurance Industry
Social Media Guidelines for Insurance Industry Actiance, Inc.
 
Enterprises are upgrading from Microsoft OCS to Lync
Enterprises are upgrading from Microsoft OCS to LyncEnterprises are upgrading from Microsoft OCS to Lync
Enterprises are upgrading from Microsoft OCS to LyncActiance, Inc.
 
True Compliance for Social Media
True Compliance for Social MediaTrue Compliance for Social Media
True Compliance for Social MediaActiance, Inc.
 
Social Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesSocial Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesActiance, Inc.
 
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...Actiance, Inc.
 
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_media
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_mediaActiance handbook-interpreting finra-10-03_and_11-39_for_using_social_media
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_mediaActiance, Inc.
 

More from Actiance, Inc. (15)

The case for social media management and archiving
The case for social media management and archivingThe case for social media management and archiving
The case for social media management and archiving
 
Why you need to focus on social networking in your company
Why you need to focus on social networking in your companyWhy you need to focus on social networking in your company
Why you need to focus on social networking in your company
 
Actiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communicationsActiance whitepaper-ost-federal-unified-communications
Actiance whitepaper-ost-federal-unified-communications
 
The impact of the new FRCP amendments on your business
The impact of the new FRCP amendments on your businessThe impact of the new FRCP amendments on your business
The impact of the new FRCP amendments on your business
 
The impact of new communication tools for financial services firms
The impact of new communication tools for financial services firms The impact of new communication tools for financial services firms
The impact of new communication tools for financial services firms
 
Messaging best practices for 2011
Messaging best practices for 2011Messaging best practices for 2011
Messaging best practices for 2011
 
Importance of social media in Pharmaceutical industry
Importance of social media in Pharmaceutical industryImportance of social media in Pharmaceutical industry
Importance of social media in Pharmaceutical industry
 
How do you quantify ROI on social media?
How do you quantify ROI on social media?How do you quantify ROI on social media?
How do you quantify ROI on social media?
 
IDC event flash on Socialite launch
IDC event flash on Socialite launchIDC event flash on Socialite launch
IDC event flash on Socialite launch
 
Social Media Guidelines for Insurance Industry
Social Media Guidelines for Insurance Industry Social Media Guidelines for Insurance Industry
Social Media Guidelines for Insurance Industry
 
Enterprises are upgrading from Microsoft OCS to Lync
Enterprises are upgrading from Microsoft OCS to LyncEnterprises are upgrading from Microsoft OCS to Lync
Enterprises are upgrading from Microsoft OCS to Lync
 
True Compliance for Social Media
True Compliance for Social MediaTrue Compliance for Social Media
True Compliance for Social Media
 
Social Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery IssuesSocial Media and Litigation are Outlining eDiscovery Issues
Social Media and Litigation are Outlining eDiscovery Issues
 
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...
Handbook on Interpreting FINRA Regulatory Notices 10-06 and 11-39 and Using S...
 
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_media
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_mediaActiance handbook-interpreting finra-10-03_and_11-39_for_using_social_media
Actiance handbook-interpreting finra-10-03_and_11-39_for_using_social_media
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

Compliance Guide for NFA-Registered Firms

  • 1. WHITE PAPER NFA: SOCIAL NETWORKS MEETING NOTICE I-10-01 COMPLIANCE REQUIREMENTS Compliance Guide for NFA-Registered Firms
  • 2. WHITE PAPER – NFA Compliance Guide 2 Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Social Networking Does Not Occur in Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Risks Beyond Being Out of Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Inbound Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 User Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 NFA - Key Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Compliance Rule 2-29(h) – Radio and Television advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Rule 2-9 – Supervision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Rule 2-10 – Record Keeping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 NFA - Key Interpretive Notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Notice 9041 - Obligations to Customers and Other Market Participants. . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Notice 9063 – Use of Social Media Web Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 How Actiance Meets NFA Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Socialite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Ten Steps to UC, IM and Web 2.0 Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 About Actiance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 This white paper is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc. © 2001 - 2011 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage, Unified Security Gateway and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc. A-WP-004-NFA-0111
  • 3. WHITE PAPER – NFA Compliance Guide 3 Executive Summary In January 2010 the National Futures Association (NFA) issued Notice I-10-01, which puts into effect the amendments in how member firms manage and interact with social media as set out in a submission letter to the Commodity Futures Trading Commission (CFTC) in December 2009. There are currently 500 million Facebook users, 75 million members on LinkedIn and 190 million Twitterers. The growth in social networking sites is huge, not least because of the variety of ways it offers for people to communicate, but also the speed, allowing for deals to be closed quickly and information to be relayed without delay. However, when considering the results of a recent survey conducted by Actiance, which showed that Web-based chat was used in 95% of organizations and file sharing tools were found to be present in 74% of locations, it is clear that Notice I-10-01 should not just be taken in isolation when meeting NFA compliance. Enterprises must consider a wider remit that includes Unified Communications, IM and Web 2.0 applications to remain in compliance. Many internet based applications are specifically designed to evade legacy security solutions like URL filters and firewalls, others pose challenges in monitoring content and archiving. However, the benefits from using them are proving so great that it is easy for Members or Associates to forget their compliance obligations. This whitepaper sets out some of the key rules, guidelines and associated risks for NFA registered firms and suggests ways that organizations can use technology to protect themselves and Members. In addition, it looks at some of the other issues that enterprises may encounter when enabling the new internet. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 4. WHITE PAPER – NFA Compliance Guide 4 Social Networking Does Not Occur in Isolation It took the humble telephone eighty-nine years to reach the hundred and fifty million users that Facebook achieved in just five. The phenomenal growth of Web 2.0 and social networks has undoubtedly driven the growth in Enterprise Unified Communication (UC) tools such as Microsoft OCS, IBM Lotus Sametime and Reuters Messaging. However, just because an organization has standardized on an Enterprise tool it is not a prerequisite for the elimination of Facebook, LinkedIn and Twitter from the network. In Actiance’s Fifth Annual Internet Usage Survey, which compares IT Estimates against live data from over 200 Actiance deployed appliances, over 99% of end users had adopted social media and Web 2.0 applications to support business processes. Conversely 38% of IT professionals believed there was no social networking present on their network. This same survey showed 53% of end users downloading and using tools such as Facebook and LinkedIn because they “were better than those provided by my employer”. ■ IT Estimates (Survey) ■ Actiance Actual Tracking Data 100% 100 98% 95% 96% 95% 95% 88% 80% 82% 80 74% 66% 64% 60% 60 54% 40% 40 35% 20 15% 10% ng ing ng g agi IM eam eo ring nci rkin r s ess as ed Str io/ Vid V Sha er e t wo P ize dM bB d IPT ile o nf Ne VoI nym tan We Au PF bC ial Ano Ins P2 We So c Source: The Collaborative Internet. Usage Trends, End User Attitudes and IT Impact, March 2010 Enterprise communication tools still have their place within an organization, but users will always look to communicate in the easiest method. If their customer is conversing over Yahoo or Skype, users will try to access the relevant Web 2.0 application. Similarly, social networking sites such as LinkedIn and Twitter are now standard tools for savvy marketers and sales people. The Citi Cards division of Citibank is just one of a number of banks that are already using social networking to build a community around its brand. It has launched a campaign that centers on the power of harnessing a user’s network on Facebook, by offering to donate $50 to charity for every approved credit card application from a user’s “friend”. Bank of America is using Twitter, not to sell, but as an extension of their customer service support answering queries quickly, taking them to a more secure communications channel if sensitive information is required. It also used Twitter to keep customers appraised when the BofA website went down. All these real-time communication applications whether it’s Enterprise 2.0, Web 2.0 or Social Networking are just an extension of normal everyday conversations that used to take place over the phone or email. However, it is not without risk. Many applications and sites use port hopping, protocol tunneling and encryption techniques to enable them to work seamlessly, and frequently undetected, on the network providing an entry point for malware and exit for data leakage. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 5. WHITE PAPER – NFA Compliance Guide 5 Risks Beyond Being Out of Compliance The risks that Web 2.0, Social Media and enterprise collaboration tools pose are very similar to those of other electronic communications such as email: malware, data leakage, potential libellous comments, non-compliance with government and industry regulations, and expensive litigation or eDiscovery costs. Just like email, the principles for applying policies and securing these new types of communications remain the same. Most businesses have implemented numerous technologies to counteract the risk associated with email, from content control filters that prevent unsuitable emails from escaping the corporate network to anti malware software that protects both employees and the people they interact with everyday. All backed-up by a fully audited archive. However, unlike email, because Web 2.0, Social Media and Enterprise Communication tools cover such a wide range of modalities, from instant messaging to Twittering and from IPTV to playing games on Facebook, consideration should be given to types of applications, their individual capabilities and the associated risks. The problem for regulated financial institutions is that inappropriate use of such widely available communication and collaboration tools can mean non-compliance with government and industry regulations, resulting in hefty fines, potential loss of business and fraud. In 2005 NYSER fined Schwab $1 million, partly because of its failure to preserve and maintain instant messaging communications via Bloomberg terminals. More recently, Societe Generale lost nearly €4.9 billion in fraudulent trades by a rogue employee that used instant messaging to manage the transactions. News that Zicam, a nasal spray form of cold remedy produced by Matrixx Initiatives, had potentially been found to damage some peoples’ sense of smell was first revealed in Twitter discussions on June 15, 2009. Matrixx’ stock price that day went from $19.24 to $5.78. It’s not been higher than $6.55 since. Data Leakage Incoming Threats Compliance eDiscovery User Behavior Personal Information Malware, Spyware SEC, FINRA Employee Productivity Intellectual Property Viruses, Trojans HIPAA FISMA Bandwidth Explosion Credit Card, SSN Inappropriate Content SOX, PCI Every employee is the face of business Client Records FRCP- eDiscovery Ferc, NERC Web 2.0, social media, and real-time communications risks Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 6. WHITE PAPER – NFA Compliance Guide 6 Data Leakage Data leakage through social media and Web 2.0 applications is now a significant threat. In the Actiance Fifth Annual Collaborative Internet survey, 69% of IT respondents reported incidents of malware and/or information leaks due to the use of Internet applications. Viruses were most common at 55 percent, followed by spyware infiltrations at 45 percent – but in new statistics gathered for the first time this year 14% have seen data leakage through social networks. The problem with Web 2.0 applications like IM, Skype and the chat functions within Facebook is that they can easily traverse the network without being seen, potentially allowing credit card details, confidential trading information, client records and the like to leave the organization unauthorized. If these applications cannot be seen then they cannot be managed or secured, resulting in a significant risk of violating compliance. There is also the potential for accidental leakage too and not just from sending an IM to the wrong person. For example, each of the 50,000 applets on Facebook requires users to download a small executable that gives access to a user’s profile, potentially retrieving information and even allowing malware in. Inbound Threats Just like email, malware writers like to make full use of social engineering techniques to persuade users to install their spyware and viruses. One of the main reasons for the bad guys’ success rate is that many users place too much trust in their network. Even though they may not know who their “friends” are in the real world, a feeling of trust builds up over a period of time. This makes users far more likely to click on a link from friend on Facebook, LinkedIn and Twitter than in an email, where most people today are a little more circumspect, particularly if it’s unexpected. Inappropriate content, whether it is a comment that could be construed as advertising or recommendation, a libellous statement about a competitor or just a really humiliating picture on Facebook, if the person is a recognizable employee it could compromise the whole organization. Consideration must also be given to the features within social media sites that can also inadvertently break regulations. Whilst still a theoretical problem, LinkedIn’s Recommendations feature that allows testimonials to be posted to a user’s LinkedIn page likely violates Rule 206(4)-1(a)(1) of the Investment Advisors Act of 1940. This could be a serious problem for any Member who currently has recommendations on their LinkedIn page. Compliance Virtually all company data is subject to discovery should legal action be taken, including communication traffic over Web 2.0, Social Media and UC. At the end of the day, this is all simply electronic communications. In order to comply with most industry and government regulations including NFA, organizations need to demonstrate information control, retention and review. However, in practice not many firms are able log content posted to Facebook, let alone try to control the content of the actual message. The process of archiving, storing and making these conversations and posts easily retrievable for regulatory compliance and legal discovery is made exponentially more complex because of the multidimensional nature of these conversations. For example, a chat conversation can include numerous participants joining at different times, creating a requirement to understand the context surrounding each participants understanding of these conversations – who entered – and left the conversation at what point during the discussion. Within financial industries this is normally taken a step further and the use of ethical walls between business functions is a required element of compliance. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 7. WHITE PAPER – NFA Compliance Guide 7 There are additional specific regulations outside of NFA guidelines that relate to Web 2.0, social media and enterprise communications: Regulation Impact Gramm-Leach-Bliley (GLBA) Info protection, monitor for sensitive content and ensure not sent over public channels (ex. Twitter) SEC and FINRA Obliged to store records and make accessible. Public correspondence requires approval, review and retention. Extended to social media. PCI Ensuring cardholder data is not sent over unsecured channels and proving it has not happened. Red Flag Rules Prevent identity theft. Protect IM and Web 2.0 from malware and phishing where users more likely to let down their guard. FRCP (e-Discovery) Email and IM are ESI (Electronically Stored Information). Posts to social media sites must be preserved if reasonably determined to be discoverable. Sarbanes-Oxley - SOX Businesses must preserve information relevant to the company reporting, this includes all IM and social media “conversations”. Canadian Securities Administrators Retain records for two years, in a manner that allows “rapid recovery to a regulator”. Can extend to National Instrument 31-303 (CSA NI) IM and social media. Investment Dealers Association of Demands the retention of records with relation to business activities, regardless of its medium Canada (IDA29.7) of creation. MiFID and FSA - Markets in Financial Specifically requires the retention of electronic communications conversations when trades Instruments Directive (EU) are referenced. Model Requirements for the manage- European requirements that define the functional requirements for the manner in which electronic ment of Electronic Records (MoReq) records are managed in an Electronic Records Management System. User Behavior Web 2.0 and social media offer huge productivity benefits, but that doesn’t mean to say that employees should be given a free rein. Consideration should still be given to whether an employee really needs access to specific applications or be able to transfer certain files types. Members of the marketing team might understand what is appropriate to post to Facebook, or indeed what process to follow to post – but “John” in the mailroom might not. His posts or photographs from weekend parties might not be suitable content. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 8. WHITE PAPER – NFA Compliance Guide 8 NFA - Key Rules Compliance Rule 2-29(h) – Radio and Television advertisements Under the proposed changes to Compliance Rule 2-29 (h) the NFA notes that profit claims and other trading recommendations normally associated with radio and television advertisements are starting to appear as podcasts and videos on sites such as YouTube. The rule now includes the words “distributed through media accessible by the public”, requiring that just like other mediums the video should be submitted to the NFA for prior approval at least 10 days in advance. Compliance considerations • Under Rule 29-2 Communications with the Public and Promotional Material misleading statements, mentions of profit without a statement about potential losses and high pressure tactics are strictly forbidden. • Rule 29-2(e) states “Every Member shall adopt and enforce written procedures to supervise its Associates and employees for compliance with this Rule.” Compliance recommendations Given that human error or judgment is frequently found to be a contributing factor in most adverse situations, organizations implemented content filtering for their email systems a long time ago. Companies need to implement a solution that provides content filtering for messages posted to a wide range of real-time communication tools, social networking sites and webmail (e.g., Gmail) to ensure all messages are appropriate. Notification to users about why a particular message was blocked, can help to train individuals further and highlight repeat offenders. Re-enforcing procedures is particularly critical since Interpretive notice 9037 states that should communications be permitted over systems other than those belonging to the firm, they must be treated as its own records with adequate review procedures in place. Rule 2-9 – Supervision “Each Member shall diligently supervise its employees and agents in the conduct of their commodity futures activities for or on behalf of the Member”, the inclusion of email and websites was confirmed in Interpretative Notice 9037, alongside a note that other forms of electronic communication should not be ignored. Interpretive notice 9063 now extends the ruling to specifically include other forms of electronic communications including social media. It also requires that blogs, forums and chat rooms hosted by the Member “where futures or forex are discussed” be supervised. Compliance considerations • It is not possible to supervise communications if the organization does not have visibility of all electronic communication tools in use on its network. • Even if an enterprise has standardized on its use of electronic communications tools, it does not prevent users from downloading other applications. Most real-time communication and Web 2.0 applications have been specifically designed to avoid detection by traditional security infrastructure. Compliance recommendations In order to be able to enforce communication policies, enterprises need to implement technology that is able to provide visibility of all real-time communication tools and Web 2.0 applications on the network and the ability to block or control their usage. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 9. WHITE PAPER – NFA Compliance Guide 9 Rule 2-10 – Record Keeping Members must “maintain adequate books and records necessary and appropriate to conduct its business.” This includes promotional material and websites that are intended for viewing by customers. In addition, Interpretive notice 9063, suggests that identification through screen names should also be part of an employer’s policies. Compliance considerations • Social Networking sites such as Facebook offer no native archiving functionality, making it difficult to comply with Rule 2-10 and Rule 2-29 (e) that sets out the requirements for review of all promotional material by a “supervisory employee other than the individual who prepared such material”. • Native archiving functionality offered by UC and other real-time communication tools is rarely able to provide a granular breakdown of conversations by persons (including buddynames), key phrases and timeframes, essential for compliance and eDiscovery requirements. • This is further complicated when a variety of modalities is used in a conversation from IM to Blackberry. Compliance recommendations Enterprises should deploy a central archiving system that enables easy review of messages posted and detailed analysis of electronic conversations including file downloads both internally and externally, complete with an audit trail of the auditor reviewing the information. In addition, the information should include who joined a conversation at which point and when they left, any disclaimers shown (at the beginning of an IM conversation for instance) and CDR information on voice calls, group meeting sessions etc. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 10. WHITE PAPER – NFA Compliance Guide 10 NFA – Key Interpretive Notices Notice 9041 – Obligations to Customers and Other Market Participants Trading ahead of customer orders or trading based on non-public information such as a research report not yet released is strictly forbidden for registered as brokers or dealers in security futures products. Notice 9041 recommends that “Members should consider developing and implementing firewalls to isolate specific information within research and other relevant departments of the firm so as to prevent the trading department from utilizing the advance knowledge of the issuance of the research report.” Compliance considerations • In certain situations there may be a requirement to restrict electronic conversations between internal personnel such as non-research and research departments. In addition, there may be a requirement to restrict electronic communication between specific people from different organizations, whilst still allowing broad communication with others. • Though it is easy for a Member or Associate to recognize in a one to one instant message conversation whether or not they should be talking to the individual, with the uptake of services such as Microsoft’s Group Chat it is now a considerable risk. • Multi-party communications such as chatrooms, live meetings etc make it easy for individuals to accidentally infringe NFA and other regulations such as the Commodity Futures Modernization Act of 2000 (CFMA¬). Compliance recommendations Implement ethical walls at both a group and domain level to ensure that conflicting personnel do not accidentally “meet” electronically and maintain a full audit trail that clearly displays when an individual joined a meeting and subsequently left. In addition, the use of disclaimers when using UC platforms such as Microsoft OCS and IBM Lotus Sametime as a member joins a meeting can help to reinforce the message. Notice 9063 – Use of Social Media Web Sites The release of notice 9063 makes it very clear that all electronic communications shared via the internet should be included when considering regulation in particular NFA Compliance Rules 2-29, 2-36, or 2-39. In addition it also makes clear that content posted to third party sites is included in NFA regulations. Compliance considerations • Social media is a dynamic medium that relies on quick interaction between participants to be a useful resource for information and communication. Allowing unfiltered access raises the possibility of an employee accidentally or deliberately saying something inappropriate. • Moderating every post manually will increase the overhead of using social media and may also add an element of delay in the “conversation” that negates the benefit of using the medium. Compliance recommendations Educate users to understand what is considered appropriate content. Implement filters that can control the content posted to sites such Facebook, LinkedIn and Twitter and enable the automation of the moderation process where applicable. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 11. WHITE PAPER – NFA Compliance Guide 11 How Actiance Meets NFA Compliance Socialite Socialite is Actiance’s security, management, and compliance solution for Social Networks, providing granular control of Facebook, LinkedIn, and Twitter. Socialite not only controls access to 150 different features across social networks, but can also moderate, manage, and archive any social media traffic routed through the solution, which can either be on-premise or hosted. Socialite includes a number of key features for securely enabling the use of social networks, including: • Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently • Identity management: establishing a single corporate identity and tracking users across multiple social media platforms (e.g., @JohnJones on Twitter is the same as JohnHJones on LinkedIn) • Activity control: managing access to features, such as who can read, like, comment upon, or access specific features • Moderator control: pre-approving content for Facebook, LinkedIn, and Twitter, where content is required to be reviewed by a corporate communications officer or other third party • Granular application control: enabling access to Facebook but not to Facebook Chat or downloading/installing any of the applications in the gaming category • Conversation and content logging: capturing all posts, messages, and commentary in context, including export to an archiving platform of your choice for eDiscovery purposes Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 12. WHITE PAPER – NFA Compliance Guide 12 Ten Steps to UC, IM and Web 2.0 Compliance 1. Gain visibility of all communications tools The first step in any security review is to carry out an audit. Even if the use of real-time communications and Web 2.0 applications has been banned within the enterprise, the likelihood is users will have found a way to circumvent any measures put in place. 2. Develop policies under FINRA guidelines An acceptable usage policy will let users know exactly what they can and can’t do using UC, IM and Web 2.0 applications. Don’t forget to include that the organization has the right to monitor all traffic and to remind Members and Associates that they are bound by NFA regulations even if they are not using the company network. 3. Implement monitoring technology The only way to see who is using what, how often and when, is to implement monitoring technology. Even if a business chooses to ban particular real-time application or social networking sites, without monitoring in place they can never be certain that users are complying. 4. Ensure Granular Access Not all employees need access to every aspect of real-time communication tools or Web 2.0 applications. In the same way organizations block certain file types such as only the marketing department can receive gifs and jpegs, consider limiting the various types of real-time communication via job function. 5. Apply policy management and control Apply centralized policy management and control with a single solution for setting and enforcing policy for all elements of Web browsing, UC and IM in use in the enterprise. Use Active Directory integration to set global, group, user level real-time communications policies. 6. Enable Content Filtering Ensure content posted and messages sent via Web 2.0 applications such as Facebook or real-time communication tools such as Skype can be monitored and blocked where necessary. 7. Implement Ethical Walls Prevent Members or Associates from accidentally meeting conflicting personnel within official chatrooms. 8. Use Disclaimer Messages Customizable disclaimer can not only make third parties aware of limitations, they can also be used to remind users of their obligations before entering into discussions. 9. Archive Whether you need to retrieve messages for legal litigation, to prove a point on compliance or just to confirm a contractual change, all business messages need to be stored securely. 10. Don’t forget about malware and data leakage Protect the network by detecting and blocking incoming infections and uncover existing endpoint infections when the spyware starts trying to ‘phone home’. Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.
  • 13. WHITE PAPER – NFA Compliance Guide 13 About Actiance Actiance enables the safe and productive use of unified communications, collaboration, and Web 2.0, including blogs and social networking sites. Formerly FaceTime Communications, Actiance’s award-winning platforms are used by 9 of the top 10 US banks and more than 1,600 organizations globally for the security, management, and compliance of unified communications, Web 2.0, and social media channels. Actiance supports all leading social networks, unified communications providers, and IM platforms, including Facebook, LinkedIn, Twitter, AOL, Google, Yahoo!, Skype, Microsoft, IBM and Cisco. More Information For more information about Actiance and its solutions, please visit http://www.actiance.com. Worldwide Headquarters 1301 Shoreway, Suite 275 Belmont, CA 94002 USA (650) 631-6300 phone EMEA Headquarters 400 Thames Valley Park Reading, Berkshire, RG6 1PT UK +44 (0) 118 963 7469 phone emea@actiance.com Worldwide Headquarters EMEA Headquarters 1301 Shoreway, Suite 275 400 Thames Valley Park Belmont, CA 94002 USA Reading, Berkshire, RG6 1PT UK (650) 631-6300 phone +44 (0) 118 963 7469 phone info@actiance.com emea@actiance.com ©2001-2011 Actiance, Inc.