Embed Size (px)
Citation preview
SocIAl MEdIA foR REgulATEd InduSTRIES . 2 .
Social Media
Executive overviewSocIAl MEdIA REgulATIon
Most companies have accepted the fact that by now they ought
to be engaging in social media activities in one form or another.
Those who are late to the party, however, are often from highly-
regulated industries such as financial services, pharmaceuticals
or healthcare. despite the promise of genuine, real-time
communications with customers that could greatly benefit
marketing and public relations efforts, social media can present
quite a challenge with regard to regulatory compliance.
for example, brokerage firms dealing with financial Industry
Regulatory Authority (fInRA) regulations need to be concerned
about whether responses their employees provide to customers
in social media communities adhere to suitability and investment
product recommendation rules. likewise, pharmaceutical
companies engaging in social media must ensure that any
conversations about a product, whether they are on facebook or
Twitter, feature the fdA-required safety information. Healthcare
companies must be cognizant of Health Insurance Portability
and Accountability Act (HIPAA) laws and not disclosing patient
information online. And, any public company needs to be on
top of every tweet to monitor whether it complies with the
Securities and Exchange commission’s (SEc) public disclosure
requirements.
Heavily regulated companies need to arm themselves with
the proper tools and information to engage in social media in
an intelligent, compliant way – without completely stifling the
creative, genuine nature of the medium. This can be a difficult
balance to strike, but it can definitely be achieved.
“despite the promise
of genuine, real-time
communications with
customers that could
NYLH[S`�ILULÂ[�THYRL[PUN�
and sales efforts, social
media can present quite
a challenge with regard
to regulatory compliance.”
This whitepaper will discuss the various regulations and risks that
certain industries must keep in mind, and offer guidelines on how
to develop a compliant corporate social media strategy.
SocIAl MEdIA foR REgulATEd InduSTRIES . 3 .
Social Media
Social Media
And THE fInAncIAl SERVIcES InduSTRY
A deluge of regulatory requirements has slowed the financial
services industry’s adoption of social media. According to a recent
survey conducted by Accenture1, 60 percent of retail banks still
consider themselves social media novices. And a recent research
report by celent2 adds that when it “comes to acquiring and re-
taining clients, social media channels are on their way to becoming
as important as traditional media channels for wealth managers.”
clearly, the industry is starting to realize that social media can reap
positive benefits for firms, from building relationships with current
and prospective clients to finding new business. However, the
financial services industry is forced to comply with strict industry
regulations, especially from fInRA, the SEc and, for uK compa-
nies, the fSA.
“Sixty percent of retail banks still consider themselves social media novices.”
1 Accenture, “Social Banking: The Social networking Imperative for Retail Banks”2 celent, “Social Media in Wealth Management,” January 18, 2012
Social Media
SocIAl MEdIA foR REgulATEd InduSTRIES . 4 .
understanding the guidelines: fInRA
one of the industry’s largest regulatory authorities, fInRA,
now provides comprehensive guidance for how regulated
banks can maintain compliance while engaging in social media
activity – Regulatory notice 10-06 and Regulatory notice 11-39.
Regulatory notice 10-06 details the recordkeeping, suitability,
supervision and content requirements for such communications,
while Regulatory notice 11-39 explains the ins and outs of social
networking site usage and communication. Together, these
provide the framework for how to maintain compliance while
engaging in social media.
Here are five main areas in which fInRA provides guidance for
social media3:
1. Recordkeeping: All social media activities must be kept
to comply with record retention guidelines. This means
that firms cannot delete, and must archive, social media
activities.
2. Suitability Responsibilities: Social media communications
that include recommendations of any type must follow nASd
Rule 2310. This means that firms cannot make promises
through social media that they could not make via traditional
communication methods.
3. Types of Interactive Electronic Forums: Static social media
content requires principal approval; interactive social media
content does not. This means that any social media content
that is real-time communication does not require principal
approval, while static content on social media, including
profiles and advertising, does require the approval of the
firm’s registered principal.
4. Supervision of Social Media Sites: firms are required to
supervise interactive communication on social media and
adopt policies to stay in compliance. This means that firms are
responsible for making sure any social media communications
made through their accounts, no matter which employee
posts it, remains in compliance with fInRA guidelines.
5. Third-Party Posts: Social media posts from third parties are
not considered communications from a firm, unless the firm
has endorsed or is involved in the preparation of the content.
This means that firms are not responsible for what others
say or claim about their products and services, unless they
actively involve themselves with the third-party content.
3 guidelines sourced from fInRA Regulatory notice 10-06 and fInRA Regulatory notice 11-39
Social Media
SocIAl MEdIA foR REgulATEd InduSTRIES . 5 .
understanding the guidelines: SEc
The SEc recently released its first set of guidelines4 to help
investment advisers comply with strict federal securities antifraud,
compliance and recordkeeping mandates. The “national
Examination Risk Alert: Investment Adviser use of Social Media”
instructs investment advisers using social media to continually
evaluate their compliance program in terms of social media usage
guidelines, content standards, monitoring, approvals, training and
more. It also stresses the importance of paying close attention to
third-party content and recordkeeping.
Approaching social media in the same way as other compliance
areas required by Advisers Act Rule 206(4)-75, investment advisers
that use or permit the use of social media by their representatives,
solicitors and third parties should write compliance policies and
procedures governing the use of social media. Pwc provides a
good explanation6 of the guidelines and the potential risks.
following is a summary of some of the SEc’s suggestions for
social media use (paraphrased from the Alert):
consider creating
usage guidelines instructing advisers and their partners on
the appropriate use of social media and appropriate content
to post, as well as restrictions.
consider how to
effectively monitor the firm’s social media sites and whether
complete access can be given to a supervisor or compliance
staff. Also determine how frequently to monitor activity – for
some firms, real-time monitoring may be needed whereas
periodic monitoring may suffice for others. And determine if
your firm has dedicated compliance resources to adequately
monitor activity on social media sites.
A firm may want to consider the
appropriateness of pre-approval requirements (as opposed to
after-the-fact review).
Analyze the risk
exposure for a firm and its clients considering the social
networking site’s reputation, privacy policy, ability to remove
third-party posts, controls on anonymous posting and its
advertising practices.
consider implementing social
media training to promote compliance and prevent potential
violations of the federal securities laws and the firm’s internal
policies. A firm may also consider whether to require a
certification by investment advisory representatives (IARs)
and advisory solicitors confirming that those individuals
understand and are complying with the firm’s social media
policy.
A firm may need to define
appropriate behavior on personal social media sites, in
addition to sites that are supervised or operated by the firm.
Engaging in social media activities may be perceived as a real
information security risk to financial services firms. Per the SEc
Alert, “information and information systems from unauthorized
access, use, disclosure, disruption, modification, perusal,
inspection, recording or destruction is an important risk faced
by all firms. Although hacking and other breaches of information
security can be posed in multiple ways, use of social media,
especially third party social media sites, may pose elevated risks.”
Also consider that content posted on social media sites might
be construed as investment advice – something that might come
riddled with fines or potential lawsuits. In order to combat these
risks, financial services companies should develop and document
a clear social media policy that outlines both internal and
regulatory compliance rules, and provide definitive guidelines for
what is allowed and what is prohibited.
4 SEc office of compliance Inspections and Examinations, “national Examination Risk Alert: Investment Adviser use of Social Media,” January 4, 2012
5 SEc Advisers Act Rule 206(4)-7, “final Rule: compliance Programs of Investment companies and Investment Advisers,” february 4, 2004
6 Pwc, “SEc Staff Provides guidance on the use of Social Media by Advisers”
Social Media
SocIAl MEdIA foR REgulATEd InduSTRIES . 6 .
understanding the guidelines: fSA
The financial Services Authority (fSA) is the regulator of the
u.K. financial services industry. In 2010, it issued guidelines7 for
using new media for financial promotion, which it defines as: “a
communication that is an invitation or an inducement to engage
in investment activity.” Per the fSA, social media communications
(both promotional in nature and otherwise), must comply with
standard communications rules found in the fSA Handbook8,
including sections coBS 4, BcoBS 2,
IcoBS 2 and McoB 3. A brief summary of those rules follow:
all communications
More can be read about the specific guidelines for investment,
insurance and mortgage firms in the fSA’s “Stand-Alone
compliance” document9. not meant to discourage social media
use, the fSA’s guidelines are just another step in the financial
services world to ensure that firms are using the medium
appropriately and legally to minimize risk and potential litigious
side effects.
7 fSA, “financial Promotions Industry update: financial Promotions using new Media”, June 2010
8 The fSA Handbook9 fSA, “financial Promotions Industry update: Stand-alone compliance,” Sept. 2009
SocIAl MEdIA foR REgulATEd InduSTRIES . 7 .
Social Media
Social Media And THE PHARMAcEuTIcAl InduSTRY
The pharmaceutical industry has long been reluctant to engage
in social media activities, and strict fdA regulations have made
pharmaceutical marketers notoriously risk averse. In fact, the
federal drug Administration’s (fdA) strict communications rules
and contrasting silence on social media parameters led to an
abrupt shut down of many pharmaceutical facebook pages
when the site eliminated the option to shut off public comments in
August 2011.
In January, the fdA finally issued draft guidance for
pharmaceutical companies on how they should interact with
consumers on social media. Though the guidelines represent
an opportunity for pharmaceutical companies to appropriately
engage in social media, many still have concerns. for example,
pharmaceutical companies want to know the extent to which they
might be held liable for information posted on social media sites by
outside parties (i.e., false claims about drugs, adverse effects).
despite the fact that social media use is still in its infancy within the
pharmaceutical industry – and will be until the fdA issues clear
guidelines – the industry is starting to realize that social media
engagement can reap positive benefits for the business, from
building relationships with consumers to conducting activities that
drive sales. Some big brands are already testing the social media
waters with positive results.
“despite the fact that
social media use is still
in its infancy within the
pharmaceutical industry
– and will be until the fdA
issues clear guidelines –
the industry is starting to
realize that social media
engagement can reap
WVZP[P]L�ILULÂ[Z�̧
Social Media
SocIAl MEdIA foR REgulATEd InduSTRIES . 8 .
understanding the guidelines:
fdA
The fdA recently issued its first draft guidance10 for
pharmaceutical companies on how they should respond to
unsolicited requests for drug information. Section VI in the draft
guidance, entitled “Responding to Public unsolicited Requests
for off-label Information, Including Those Encountered through
Emerging Electronic Media by drug or Medical device firms”
specifically addresses social media interactions.
following are the specific recommendations, taken directly from
the draft guidance:
1. If a firm chooses to respond to public unsolicited requests for
off-label information, the firm should respond only when the
request pertains specifically to its own named product (and is
not solely about a competitor’s product).
2. A firm’s public response to public unsolicited requests for off-
label information about its named product should be limited
to providing the firm’s contact information and should not
include any off-label information.
3. Representatives who provide public responses to unsolicited
requests for off-label information should clearly disclose their
involvement with a particular firm.
4. Public responses to public unsolicited requests for off-label
information described in numbers 2 and 3 should not be
promotional in nature or tone.
Per the fdA, “If a firm responds to public unsolicited requests
for off-label information, including those encountered through
emerging electronic media, in the manner described above, fdA
does not intend to use such responses as evidence of the firm’s
intent that its product be used for an unapproved or uncleared
use. Such responses also would not be expected to comply with
the disclosure requirements related to promotional labeling and
advertising.”
Though not by any means a comprehensive guide for how
pharmaceutical companies should engage in social media, it is
certainly a start.
10 food and drug Administration, “Responding to unsolicited Requests for off-label Information About Prescription drugs and Medical devices,” december 30, 2011
SocIAl MEdIA foR REgulATEd InduSTRIES . 9 .
Social Media
Social Media THE HEAlTHcARE InduSTRY
Some hospitals have avoided leveraging social media platforms
like Twitter and facebook due to fears over HIPAA. But, with
patients frequently turning online to research – and in some
cases even diagnose – illnesses, social media can certainly be an
effective tool to help find reliable healthcare information.
So, with HIPAA prohibiting the distribution of patient information
by both healthcare systems and their employees, is it possible for
doctors to engage with patients safely online? The answer is yes,
and already more than 1,200 u.S. hospitals are currently engaging
patients through social media11.
“Already more than 1,200 u.S. hospitals are engaging patients through social media.”
11 food and drug Administration, “Responding to unsolicited Requests for off-label Information About Prescription drugs and Medical devices,” december 30, 2011
Social Media
SocIAl MEdIA foR REgulATEd InduSTRIES . 10 .
understanding the Regulations:
HIPAA
According to HIPAA, a patient has control of his or her own
protected health information and no one can release that
information without the patient’s consent. The exception is that
a patient’s information can be shared internally, from a hospital
to a physician (and vice versa) and to payment companies for
insurance purposes. Though HIPAA does not specifically address
social media in its documentation, the same rules apply regarding
patient privacy.
After a few well-publicized cases about physicians divulging
patient information online, dave Ekrem, social media manager for
Massgeneral Hospital for children, provided a few suggestions
for how physicians can remain HIPAA-compliant when using social
media, including “The Elevator Rule.” He states: “This is a famous
test, probably repeated by compliance departments and trainers
at hospitals all over the u.S. If you wouldn’t say it in the elevator,
don’t put it online. You can try speaking your post out loud before
hitting the enter key. Take particular care when replying to people
in real-time venues like Twitter. You don’t have to respond right
away and if you have any doubt at all, ask a friend or colleague for
their reaction before you post.”
Kevin Pho, an internal medicine physician who sits on the board
of uSA Today, reminds doctors that separating personal and
professional content on facebook is critical : “I embrace the ‘dual-
citizenship’ approach, recently discussed in an Annals of Internal
Medicine perspective piece. With facebook in particular, limit your
personal profile to friends and family. These are people who can
follow your personal, day-to-day happenings, pictures and video.
Patients should not be allowed access to this personal profile.
Most importantly, go to your privacy settings and ensure what
you share is exposed to your personal circle only. Then, set up a
separate facebook page that serves as your public persona that
patients can view. This page needs to be HIPAA-compliant and
professionally self-aware.”
By keeping guidelines like these in mind, healthcare organizations
and their employees can participate in social media while staying
out of professional danger.
12 KevinMd.com, “7 Tips to Avoid HIPAA Violations in Social Media,” June 7, 201113 KevinMd.com, “How doctors can use facebook Responsibly,” April 2011
SocIAl MEdIA foR REgulATEd InduSTRIES . 11 .
Social Media
Practice compliant Social Media: BEST PRAcTIcES
Even the most regulated industries can successfully participate
in social media if they adhere to internal policies and regulatory
guidelines by building security and control into their social media
programs.
document a clear, concise corporate
social media policy and communicate it to employees.
Include it in new hire documentation and training. Make sure it
includes both corporate and regulatory guidelines, and clearly
define what is allowed, what is prohibited, and what the
ramifications are if an employee does not adhere to the policy.
Ensure that external audiences are just as aware of the policy
as employees by posting it on facebook pages, blogs and
websites.
Any company-facing regulatory controls could
also face an audit at any moment. A social media policy
should account for this reality by implementing technology
that archives all content in a way that could quickly and
adequately help prepare for an audit. for example, systems
that automatically delete or remove social media content
are not permitted under fInRA guidelines and should be
prohibited in your policy.
Implement a process for review of all
authored content. Everyone has heard the horror stories of
employees who have posted inappropriate content and the
resulting consequences. Making sure all content is reviewed
by a compliance officer or other manager will help maintain
compliance. It is also prudent to make sure the policy
leverages a method to limit the number of employees granted
admin rights to social media accounts.
When Appropriate: It’s
important to continually monitor the various social sites.
check facebook posts and Tweets on an ongoing basis
and remove inappropriate posts or comments, or implement
a social media management system that will do this
automatically based on the constraints you define.
Whether it’s
a doctor/patient conversation or a financial adviser/client
conversation, take it offline if complying with regulations is a
concern. Meet in person or discuss over the phone instead of
in a public, internet forum.
Employee education and training is the
best way to uphold policies, meet regulatory requirements
and mitigate risk. Regularly educate employees about current
social media policies, new programs or networks, and best
practices. Hold regular “lunch and learn” events and launch a
social media certification program that grants graduates new
levels of privileges in social communities.
By making sure a complete and thorough social media policy
and system is in place, heavily regulated industries can start to
recognize the value of social media immediately without living in
fear of violating federal regulations.
www.socialvolt.com
ABouT SocIAlVolT
SocialVolt delivers enterprise social media risk manage-
ment solutions for businesses and agencies. With SocialVolt,
companies maintain control, minimize risk and empower
staff at all levels to build profitable customer relationships in
real-time. Ideal for heavily regulated industries like financial
services, insurance, healthcare and pharmaceutical, Social-
Volt bakes compliance and risk management into your social
media program with detailed audit trails, prohibited terms,
custom review dictionaries, approval workflow, access con-
trols, and more.
founded in 2009, SocialVolt is based in Kansas city and
backed by Archer capital. Its board of advisors is comprised
of experienced senior marketers from American Express,
Sprint and other leading enterprises.
learn more at www.socialvolt.com.
©2012 SocialVolt, Inc. All Rights Reserved.
