9 Keys to FINRA Blessing Enterprise Social Software Use

9 Keys to FINRA Blessing Enterprise Social Software Use

| Privacy Controls for Facebook

ContentsExecutive Summary ..........................................................................3

Growth of Enterprise Social Software..................................................4

Compliance Risks .............................................................................4

Regulatory Risks...............................................................................5

Legal Risks ......................................................................................6

User Behavior and Policies ................................................................6

Key Rules ........................................................................................7

FINRA Rule 2210 (Communications with the Public) ...........................7

NASD Rule 3010 (Supervision) ..........................................................8

FINRA Rule 4511 (Books and Records) ..............................................9

Key FINRA Notices .........................................................................10

Regulatory Notice 07-59 (Supervision of Electronic Communications) ...........................................................................10

Regulatory Notice 10-06 (Social Media Websites) .............................11

Regulatory Notice 11-39 (Social Media Websites and Use of Personal Devices) ...........................................................................12

How Actiance Meets FINRA Compliance Requirements ......................13

Vantage .........................................................................................13

Nine Steps to ESS Compliance ........................................................14

About Actiance ...............................................................................15

| Privacy Controls for Facebook 9 Keys to FINRA-Blessed Use of Enterprise Social Software | 3

Executive Summary

In January 2010, the Financial Industry Regulatory Authority (FINRA)

issued Regulatory Notice 10-06, its latest guidance in a series on

electronic communications specifically related to social media websites.

The growth in social networking is huge and is now matched by the

adoption of enterprise social software (ESS). Organizations are deploying

ESS for their employees, partners, and customers to accelerate business

process through improved collaboration and expertise discovery. A social

business embraces networks of people to create business value. They do

this by deepening their relationships with customers, driving operational

effectiveness, and optimizing their workforce.

With the publication of FINRA Regulatory Notice 10-06, compliance

officers now know that they have to meet similar requirements that

have existed for email and instant messaging when evaluating social

software technologies. This whitepaper sets out some of the key rules,

guidelines, and associated risks for FINRA member firms and suggests

ways that organizations can use technology to protect themselves and their

registered representatives.

| Privacy Controls for Facebook| 9 Keys to FINRA-Blessed Use of Enterprise Social Software4

Growth of Enterprise Social Software

Over the past decade, organizations have been shifting an increasing

number of enterprise tasks and content over to collaboration platforms

like Jive, SharePoint, Connections, Yammer, to name a few. Additionally,

enterprises are now leveraging these platforms’ social media capabilities,

such as exchanging documents, posting blog entries, and soliciting

feedback (i.e., basically anything that facilitates collaboration and

enhances employee productivity).

The growth of these platforms is reflected in the following data points:

• Enterprise Social Software space is expected to reach $2 billion by

2014 (Source: IDC).

• Among all of Microsoft’s server offerings, SharePoint achieved $1

billion in annual revenue in the shortest amount of time.

• Microsoft acquired Yammer for $1.2 billion (June 2012).

• 61% reduction in time spent on compliance activities through the use

of social software (Deloitte Center for the Edge Study, March 2011).

The bottom line is that many stakeholders have benefited from the growth

of social business platforms.

Compliance Risks

The risks that ESS tools pose are very similar to those of other electronic

communications like email: non-compliance with government and industry

regulations and substantial litigation and eDiscovery costs. Just like email,

the principles for applying policies and remaining compliant remain

the same.

A sampling of regulations and statutes outside of FINRA guidelines that

relate to the governance of ESS content are listed here:


Regulation or Rule

Impact

Gramm-Leach-Bliley

Act (GLBA)

Information protection, monitor for sensitive content and ensure

not sent over public channels (e.g., Twitter).

Investment Advisers

Act of 1940

Investment advisers are prohibited from publishing, circulating, or

distributing any advertisement which refers, directly or indirectly,

to any testimonial of any kind concerning the investment adviser or

concerning any advice, analysis, report, or other service rendered

by such investment adviser.

SEC 17a-3 and 17a-4 Specifies the types of electronic records that must be preserved.

Also specifies the manner and length of time that the records

maintained by broker-dealers must be preserved.

PCI Ensuring cardholder data is not sent over unsecured channels and

proving it has not occurred.

Federal Rules of Civil

Procedure (FRCP)

Email and IM are ESI (Electronically Stored Information). Posts to

social media sites must be preserved if reasonably determined to

be discoverable.

Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company

reporting. This means all IM and social media “conversations”

are relevant.

Regulatory Risks

The problem for regulated financial institutions is that inappropriate use

of such widely available communications and collaboration tools can mean

non-compliance with government and industry regulations, resulting in

hefty fines, potential loss of business, and fraud.

In 2011, FINRA discovered that Jenny Ta, a registered broker in

California, failed to inform a registered firm principal that she had a

Twitter account, which she used periodically to tout a specific stock.

Moreover, FINRA found that her tweets often predicted an imminent price

increase and that she didn’t disclose her family’s substantial position in

that stock – all of which violated FINRA rules. She got caught and was

fined $10,000 and suspended for a year.


Similarly, in 2012, the SEC filed an enforcement action against Anthony

Fields, an Illinois-based investment advisor, accusing him of making

“fraudulent offers” of more than $500 billion in “fictitious securities

through various forms of social media,” namely, LinkedIn.

Legal Risks

Virtually all company data is subject to discovery should legal action be

taken, including communications traffic over blogs, wikis, discussion

forums, bookmarks, social media, and unified communications. At the

end of the day, these are all simply forms of “electronic communications.”

The process of archiving, storing, and making these conversations and

posts easily retrievable for not just regulatory compliance, but also for

legal holds and eDiscovery purposes, is made complex by the multi-

dimensional nature of these conversations. For example, a wiki or blog

post can include numerous contributors and respondents, each one

commenting, replying, deleting, and editing content. In essence, this

dynamic interchange of content underscores the importance of context.

For instance, who said what and when, and did he or she edit or delete any

comments? This chronology and context is thus very crucial.

User Behavior and Policies

Social communities, wikis, profiles, and blogs offer huge productivity

benefits when used in the context of business processes, but they

also require comprehensive governance and usage guidelines. These

guidelines can be added to existing Acceptable Use Policies (AUPs) for

other electronic communications or IT equipment. Well-constructed social

computing guidelines can help educate employees about the appropriate

uses of these applications. Employees have to understand that they are

responsible for the content they share, should respect opinions of others,

and must protect confidential information.


Unlike many other industries, registered representatives are duty-bound to

follow the rules and regulations surrounding electronic communications.

For this reason, it is very important to have good communication and

education components in your social software deployment plan. The

concepts are not complex; they just need to be communicated clearly to

establish acceptable behavior. It is also a best practice to establish a

social computing subject matter expert to answer any questions about the

guidelines and the desired behavior.

Key Rules

FINRA Rule 2210 (Communications with the Public)

In February 2013, FINRA replaced NASD Rules 2210 and 2211 and

NYSE Rule 472 with FINRA Rule 2210, which governs communications

with the public. The new rule reduces the number of communications

categories from six to three, two of which pertain to social media:

Correspondence

Correspondence includes any written (including electronic) communication

that is distributed or made available to 25 or fewer retail investors within

any 30 calendar-day period.

Retail communication

Retail communication includes any written (including electronic)

communication that is distributed or made available to more than 25 retail

investors within any 30 calendar-day period. A “retail investor” includes

any person other than an institutional investor, regardless of whether

the person has an account with the firm. Communications that formerly

qualified as advertisements and sales literature generally now fall under

the definition of “retail communication.”


Compliance considerations

• Regulatory Notice 10-06 does pave the way for registered

representatives to participate in real-time communications, but care

still needs to be given to the content of the message.

• Under FINRA 2210, communications with the public must be based

on the principles of fair dealing; misleading statements, exaggerated

claims, and predictions of investments are strictly forbidden.

• Sharing or republishing a comment from a third party is likely to be

considered an endorsement, as is “Liking” a comment on Jive or

Salesforce Chatter, thus caution is urged.

Compliance recommendations

Given that human error or judgment is frequently found to be a

contributing factor in most adverse situations, organizations began

implementing content filtering systems for their email platforms a long

time ago. Companies need to implement a solution that provides content

filtering for messages posted to a wide range of real-time communications

tools, including ESS to ensure that all messages are appropriate.

NASD Rule 3010 (Supervision)

“Members must establish, maintain and enforce written procedures

for communications”; the inclusion of electronic communications was

confirmed in Notice 99-03. Furthermore, 10-06 reminds members

that under NASD Rule 3010 members must supervise social media

communications “in a manner reasonably designed to ensure that they do

not violate the content requirements of FINRA’s communications rules.”


• It is not possible to supervise communications if the organization

does not have visibility of all electronic communications tools in use

on its network.


• An enterprise should standardize on its use of electronic

communications tools, including social applications, for its employees

and customers to meet collaboration requirements. This will

decrease the temptation to download other applications that may

have been specifically designed to avoid detection by traditional

security measures.


In order to be able to enforce communications policies, enterprises need

to implement technology that is able to provide visibility into all ESS tools

on the network and the ability to block or control their usage.

FINRA Rule 4511 (Books and Records)

Firms are obligated to: (1) make and preserve books and records as

required under FINRA and SEC rules; and (2) preserve the books and

records in a format and media that complies with SEC Rule 17a-4.

Requires firms to preserve for a period of at least six years FINRA books

and records for which there is no specified retention period under

applicable FINRA or SEC rules.


• ESS platforms offer little to no native archiving functionality, making it

difficult to comply with FINRA or SEC rules that require, if appropriate,

the review “by a supervisor of employees’ incoming, outgoing and internal

electronic communications.”

• Native archiving functionality offered by ESS is rarely able to provide a

granular breakdown of conversations by persons (including buddynames),

key phrases, and timeframes, which are essential for compliance and

eDiscovery requirements.

• This is further complicated by the multitude of modalities used in

conversations - from IM to blogs to wikis.



Enterprises should deploy a central archiving system that enables

easy review of posted messages and detailed analysis of electronic

conversations, including file downloads both internally and externally,

complete with an audit trail of the auditor reviewing the information.

In addition, the information should include who joined a conversation,

when and when they left, any disclaimers shown (at the beginning of a

conversation, for instance), and call detail records for voice calls, group

meeting sessions, etc.

Key FINRA Notices

Regulatory Notice 07-59 (Supervision of Electronic Communications)

In the ever-expanding role of electronic communications in Regulatory

Notice 07-59, Supervision of Electronic Communications, FINRA suggests

that members consider taking steps “to reduce, manage or eliminate

potential conflicts of interest, to prevent electronic communications

between certain individuals/groups or monitoring communications as

required by FINRA rules.”


• In certain situations, there may be a requirement to restrict electronic

conversations between internal personnel, such as between non-

research and research departments. In addition, there may be a

requirement to restrict electronic communications between specific

persons from different organizations, while still allowing broad

communication with others.


• Though it is easy for a registered representative to recognize in a

one-to-one instant message conversation whether or not they should

be talking to the individual, with the popularity of features such as

discussion forums within a community, it is now a considerable risk.


Implement ethical walls at both a group and domain level to ensure that

conflicting personnel do not accidentally “meet” electronically and to

maintain a full audit trail that clearly displays when an individual joined a

meeting and subsequently left. In addition, the use of disclaimers when a

member joins a meeting can help to reinforce the message.

Regulatory Notice 10-06 (Social Media Websites)

The release of Regulatory Notice 10-06 from FINRA makes it very clear

that all electronic communications shared via the Internet should be

treated in just the same way as if it were shared in person or in non-

electronic written communications.


• Social media is a dynamic medium that relies on real-time (or near

real-time) interaction between participants to be a useful resource

for information and communication. Allowing unfiltered access raises

the possibility of an employee accidentally or deliberately saying

something inappropriate.

• Moderating every post manually will increase the overhead of

using social media and may also add an element of delay to the

“conversation” that offsets the benefit of using the medium.


Educate users to understand what is considered appropriate content.

Implement filters or moderation processes that can control the content

posted to external social media sites.


Regulatory Notice 11-39 (Social Media Websites and Use of Personal Devices)

In this notice, FINRA provides further guidance for firms on applying

rules governing communications with the public when using social

media. In short, firms are reminded that existing rules for recordkeeping,

suitability, supervision and content requirements all apply to social media.

Additionally, FINRA clarified the following points:

• The content of the communication is determinative, not the

communication channel.

• A firm is subject to the “adoption” and “entanglement” theories

regarding third-party posts.

• Business communications over personal devices must be retained,

retrievable, and supervised.


• Mobile devices are increasingly being used for business

communications, which means they are subject to regulatory

requirements, even if the device in question is a personal device.


Create or revise policies to incorporate business communications

conducted over personal devices. Implement technology

solutions to ensure that such communications are captured for

recordkeeping purposes.


How Actiance Meets FINRA Compliance Requirements

Vantage

Vantage is Actiance’s governance solution for enterprise social software. It

complements today’s archiving systems by providing a level of granularity

that ensures any information governance strategy is executed seamlessly.

Actiance’s Collaboration Framework underpins the capture of this wealth of

data, maintaining the context of conversations and posts and storing them

natively. Additionally, the framework provides organizations the flexibility

of conducting eDiscovery from the Actiance database (thus facilitating

contextual review), the customer’s own archive, or perhaps from a third-

party archive.

Today’s archiving solutions just grab all collaboration content without

providing any real-time insight into the meaning of the data. Vantage’s

content-inspection technology features real-time alerts to detect potential

loss or exposure of intellectual property and violations of corporate policy,

such as the use of inappropriate language (e.g., inflammatory comments).

Its policy framework allows granular policies to be defined between groups

of employees, ensuring enterprises remain compliant. All of the available

compliance controls were designed to address the key government and

industry regulations (e.g., FINRA, SEC, FRCP, Sarbanes-Oxley, FERC).

Some key features of Vantage include the following:

• TrueComplianceTM: Tamper-proof archiving of content; Real-time

content inspection; Preservation of message or conversation order.

• Real-time alerts: Send real-time alerts based on content detected

(e.g., abusive language, trade secrets); Scans content within files.

• Granular policy control: Define capture policies at a granular level to

map to compliance or corporate governance standards.

• Contextual capture: Content shown in context of other related items in

reviewer UI.


Nine Steps to ESS Compliance

1. Gain visibility into all communications tools

The first step in any security review is to carry out an audit. Even if

the use of real-time communications and social applications has been

banned within the enterprise, the likelihood is that users will have

found a way to circumvent any measures put in place.

2. Develop policies taking into account FINRA guidelines

An acceptable use policy (AUP) will let users know exactly what they

can and can’t do with respect to ESS applications. Don’t forget to

include that the organization has the right to monitor all traffic and

to remind registered representatives that they are bound by FINRA

regulations, even if they are not using the company network.

3. Implement monitoring technology

The only way to see who is using what, how often, and when is to

implement monitoring technology. Even if a business chooses to ban

specific real-time applications, without monitoring in place, they can

never be certain that users are actually complying.

4. Ensure granular access

Not all employees need access to every aspect of real-time

communications tools or social applications. In the same way

organizations block certain file types (e.g., only the marketing

department can receive GIFs and JPEGs), consider limiting the various

types of real-time communications by job function.

5. Apply policy management and control

Apply centralized policy management and control with a single

solution for all elements of email, instant messaging, and social

applications in use in the enterprise. Use Active Directory

integration to set and enforce global, group, and individual-level

communications policies.


6. Enable content filtering

Ensure content posted and messages sent can be monitored where

necessary. Use lexicons to efficiently monitor for sensitive keywords,

phrases, and regular expressions.

7. Send alerts

Limit the potential damage of inappropriate or inflammatory content by

utilizing alerts.

8. Capture edits and deletes

Edits and deletions are just as important as unchanged content.

Ensure you have policies and systems in place to record content that

was revised or removed.

9. Archive

Whether you need to retrieve messages for litigation, to substantiate

a compliance issue, or just to confirm a contractual modification, all

business messages need to be stored securely.

About Actiance

Actiance® is a global leader in communication, collaboration, and social

media governance for the enterprise. Its governance platform is used

by millions of professionals across dozens of industries. With the power

of communication, collaboration, and social media at their fingertips,

Actiance helps professionals everywhere to engage with customers and

colleagues so they can unleash social business.

The Actiance platform gives organizations the ability to ensure compliance

for all their communications channels. It provides real-time content

monitoring, centralized policy management, contextual capture of content

and smart archiving which improves the efficiency and cost-effectiveness

of eDiscovery and helps protect users from malware and accidental or

malicious leakage of information. Actiance supports all leading social

media, unified communications, collaboration, and IM platforms,

including Facebook (FB), LinkedIn (LNKD), Twitter, Google (GOOG),

Yahoo! (YHOO), Skype, IBM, (IBM), Jive (JIVE), Microsoft (MSFT), Cisco

(CSCO), and Salesforce.com (CRM).

Actiance is headquartered in Belmont, California.

©2013 Actiance, Inc. All rights reserved. Actiance, the Actiance logo, Socialite, and the Socialite logo are registered trademarks of Actiance, Inc. Vantage is a trademark of Actiance, Inc. All other trademarks are the property of their respective owners.

More information

actiance.com

[email protected]

Follow us

facebook.com/Actiance

linkedin.com/company/actiance-inc

twitter.com/actiance

youtube.com/actiance

slideshare.com/actiance