The document discusses compliance requirements for using social media in the financial services industry. It notes that existing regulations around communications and record keeping still apply to social media use. It also discusses the need to address security risks from hackers. Effective compliance solutions need to allow for supervision of content, preserve records and context of conversations in tamper-proof archives, and monitor all user activities in real-time. The best practice is to use both the social media API and a proxy solution to ensure all requirements around supervision, record keeping, and security are met.
2. Introduction
It is no secret that social media within the financial services industry has
exploded over the last few years. The industry recognises that social media
is a powerful, cost-effective channel to reach new customers and strengthen
existing relationships. However, enabling the use of social within a corporate
environment also has compliance and security implications.
Existing Financial Services Authority (FSA) rules still apply, and the regula-
tor has issued additional guidelines on the use of social over the last couple
years. There is of course other European legislation to be considered such
as MiFID and PCI. Moreover, all these different social media channels today
represent attractive avenues for hackers to unleash viruses and other types
of malware on unsuspecting users. So, although the benefits of social are
massive, organisations need to ensure they have the appropriate technology
solutions in place to address these compliance and security concerns.
3. Compliance Requirements for Financial Services
Let’s take a closer look at the FSA’s guidelines. In its Financial Promotions • Guaranteed message order preservation: Given the interactive nature
Industry Update No 5 the FSA noted that all electronic communications of social media, retaining the context of blogs and their comments,
shared via the internet should still be governed by High Level Standards Facebook chat conversations, and LinkedIn Group discussions is vital.
and Business Standards. Within these regulations there are two main areas Without context, firms face the daunting prospect of having to piece
that need consideration when using social media. together one conversation from a vast repository of data.
Recordkeeping • Non-repudiation: This refers to proof of the integrity and origin of
SYSC 9.1 General rules on record-keeping states that “A firm must arrange data. With so many hackers and sophisticated schemes to deceive users,
for orderly records to be kept of its business and internal organisation, data authenticity is a key consideration.
including all services and transactions undertaken by it, which must be
sufficient to enable the FSA or any other relevant competent authority under Supervision
MiFID to monitor the firm’s compliance with the requirements under the FSA regulated firms should review items such as LinkedIn Profiles
regulatory system.” This includes content such as LinkedIn Profile edits, and Facebook Profiles since they could be considered “advertisements”
Facebook posts, and Tweets are all subject to recordkeeping rules. subject to pre-approval by an authorized person.
In addition, ICOBS 2.4, MCOB 3.10 and COBS 4.11 state that adequate Some specific facets of supervision that firms must incorporate include
records of financial promotions must be kept. COBS 4.11.1 (1) specifically the following:
says “it communicates or approves,” potentially implying that even unau-
thorised communication needs to be recorded. • Real-time content review: COBS 4.10.3 and MCOB 3.11.1 prohibits
unauthorised personnel from sending out financial promotions without
Some specific facets of recordkeeping that firms must incorporate include prior approval from the FSA registered firm. Under Update number 5
the following: this includes Tweets, status updates and LinkedIn Posts.
• Tamper-proof archiving: Electronic records must be preserved exclusively • Monitoring of links to third-party sites: Hyperlinks can be considered
in a non-rewriteable and non-erasable format. This means that data must inducements depending on the prominence and type of link eg clicking
be delivered to a customer’s archiving system in its original form. on a logo. Links to third party sites are not normally considered a financial
promotion, unless there is an agreement between the two to procure users.
4 | TrueCompliance for Social Media 5 | Social Media Success True Compliance for Social Media | 5
4. Addressing the Requirements
So, what must firms do to properly address the requirements outline above? Capture as much as possible
The following are some key considerations: The FSA and MiFID require firms to capture all business-related communi-
cations. With the proliferation of smartphones nowadays, it is essential for
Pre-review certain communications firms to have policies and technology in place to accommodate the reality of
There are some aspects of social media sites that unequivocally require employees using personal devices for business-related communications.
pre-approval by an authorised person. For instance, a tweet that could be
deemed a financial promotion posted by an unauthorised person. Regarding Authenticity of data
general tweets or Facebook posts, the FSA leaves it up to the individual firm Firms must store social media content in tamper-proof repositories, such
to decide its policy based on its risk-tolerance profile. that data integrity is not compromised. Message order preservation and
guaranteed delivery to the customer’s archive are two such ways to ensure
Feature access controls authenticity of data.
Since some social media features may invoke the “inducement” or
“procurement” theories, controlling individual features, such as Facebook
Likes, LinkedIn Recommendations, or Twitter Retweets, becomes critical.
Being able to pick and choose the allowable features gives firms the
flexibility to enable the use of social without having to worry about the
“inducement” issue.
Tracking user activities
Establishing a complete audit trail of a user’s interaction with a given
social media site comes into play in both regulatory and legal inquiries.
For instance, say there’s a lawsuit involving the social media activities of
John Smith while he was at work on a corporate-owned device. Counsel for
both sides would be very interested in knowing what Smith was doing from
10am-11am while on Facebook. Did he upload any content? Did he delete
any content? What other areas (e.g., Photos, Groups, Discussion boards,
Chat) did he visit during that one hour? Did he post content to other sites
from Facebook? The user activity history thus becomes very relevant.
6 | TrueCompliance for Social Media True Compliance for Social Media | 7
5. Potential Technology Solutions
Solutions that enable compliance for social media generally take one of two All user activities can be logged (e.g., a user’s entire Facebook session can
technology approaches: the API and the proxy. be captured with all the associated metadata) and archived. Pre-review capa-
bilities and blocking/allowing access to specific features of a social network
The API (e.g., Facebook Like, LinkedIn Recommendation, Twitter Retweet) are also
Each social network (e.g., Facebook, LinkedIn, and Twitter) makes its API made possible with the proxy. Most importantly, a proxy eliminates the API’s
available to third-party developers. Each API is a little bit different. For “window of vulnerability” due to the former’s real-time capture of data.
instance, each social network allows calls to its API (“API calls”) only a
limited number of times per day. That number depends on several factors,
such as the number of employees at the company calling the API. It also
means that capture is NOT done in real-time.
In the period between each of these API calls, comments or posts on, say,
Facebook can be edited or deleted. These edits and deletions are just as
important as the initial posts themselves. Regulatory bodies like the FSA
are interested in the deleted content as much as the content that remains
unchanged. This period between API calls is that “window of vulnerability”
that opens the door to potential non-compliance, putting the firm at risk for
sanctions or other penalties.
The Proxy
This approach entails the routing of social media traffic through a technol-
ogy vendor’s solution, be it through proxy-forwarding rules or a proxy auto-
configuration (PAC) file. Either way, the technology vendor sees all the traffic
in real-time, as it happens. It offers the most granular controls available for
users on a corporate-managed device or network.
8 | TrueCompliance for Social Media 9 | Social Media Success True Compliance for Social Media | 9
6. The Best Practice Solution About Actiance
Given the stringent requirements regulatory governance, firms must Actiance is the only technology vendor in the market that utilizes both
leverage both approaches to ensure complete compliance. On their own, the API and proxy methods to ensure its customers remain compliant.
the API and proxy are not enough to remain compliant. The best practice, In fact, Actiance is the only vendor offering TrueCompliance, TM
therefore, is to use BOTH, so that a firm can confidently meet all of its a collection of features that support the strictest requirements of
compliance requirements (see table below). social media compliance:
Requirement Detail Example Proxy API
• Tamper-proof archiving
Supervision Pre-review LinkedIn Profile edits Yes No • Guaranteed preservation of message/conversation order (context)
Supervision Feature access controls Block Facebook Like Yes No • Guaranteed data delivery to customer’s archiving system
Recordkeeping Real-time capture of ALL Archive all tweets, Facebook Yes No • Guaranteed non-circumvention
content while on corporate- posts, LinkedIn updates done
managed network or device from a work laptop
• Real-time content filtering with advanced pattern matching,
Recordkeeping Logging of user activities Track user movement from Yes No blocking and scanning (supervision)
LinkedIn Homepage to join-
ing LinkedIn Group to trying
to make a Recommendation
Recordkeeping Capture of content regard- Capture business-related No Yes
less of device or location tweet made from a personal
iPhone
Recordkeeping Automatic removal of inap- Removal of offensive joke No Yes
propriate content from company Facebook
page
10 | TrueCompliance for Social Media 11 | Social Media Success True Compliance for Social Media | 11