New Rules for Online Communications by Financial Firms

Regulators are paying attention as much to what financial companies say, as to how and where they say it.

As social media has continued to change the way banks, brokers, and other financial firms communicate with customers, regulators are increasingly taking steps to enhance their oversight of these tools and how social media is used to market financial products and services.

Late last month, the Federal Financial Institutions Examination Council (FFIEC) released proposed guidance on social media policies for banks and credit unions, and the non-bank entities supervised by the Consumer Financial Protection Bureau and state regulators.

Although the guidance didn't impose additional obligations, it did emphasize that financial firms need to do a better job managing the risks associated with social media, and that they need to be managed institution-wide.

Greg Pulles, of counsel for the law firm Dorsey & Whitney's finance and restructuring group, says a top concern is protecting the privacy of customer data, especially when banks, subject to strict regulations, utilize third parties with lower data-privacy standards or communicate on sites that have a business model that revolves around brokering that data.

“It is very important that banks take into account that, on one hand, they have Twitter's and Facebook's rules, and on the other they have their own privacy policy,” says Pulles. “How do you make sure you keep those two things in sync?”

“The collision of these worlds” is particularly troubling for banks that have requirements not to discriminate about age, sex, and race, says Jamie Nafziger, a partner at Dorsey & Whitney who specializes in social media. “That becomes hard when that information is staring you right in the face.”

The host of data privacy concerns that social media raises are cause for a renewed focus on training and oversight of employees who may be operating social media, says Nafziger, as well as those at public relations firms who may be using social media on behalf of financial institutions.

“They really have to be trained on what the legal risks are, because a lot of the interactions happen very fast,” Nafziger says. “It is not like you are getting a legal review every time.”

Another challenge for banks is that that they will be required to monitor what is said about them online, a tracking intended to shed light on reputational risks.

“If you are a big brand you are going to gets thousands and thousands of hits,” Pulles says. “There are lots of customer complaints and lots of nasty things. The smaller bank is going to be reluctant to go down the path of social media because of concerns that is what it is going to turn into.”

Keeping up with comments online could put financial companies in a bind due to the difficulty of following so much chatter. “If you are a compliance officer at a financial institution and a regulator asks you during a quarterly meeting, ‘What are your customers saying about you on social media?' I want to be able to answer the question,” says Tim Nagle, a member of law firm Reed Smith's data security, privacy, and management practice group. “But I would certainly condition it by saying, ‘As far as I know.'”

Is that good enough? Nagle admits he is not sure. But it may be the best banks can do, especially when responding is risky because personnel don't have rigid guidelines on when to interact or how. 

“The big deal for a firm is they have to rewrite this area of policy and procedure to fit the way they do business with the products they offer.”

—Mark Catone,

Senior Director of Compliance Technologies,

National Regulatory Services

“Watch but don't participate, because you don't know who you are talking to and you don't know whether they have a bona fide complaint or if there is anything you can do to adequately respond to it,” Nagle says. “Your reaction may even raise the profile of this above what it might have otherwise generated.”

FINRA's New Rules

The rules of the road for customer outreach are also changing for broker-dealers and investment advisers. The Securities and Exchange Commission recently approved long-gestating changes that revamp the Financial Industry Regulatory Authority's (FINRA) rules regarding public communications with the public. Specifically, it further clarifies separate requirements for retail and institutional communications, a distinction in place to ensure the suitability of recommendations for each segment.

Michael Weissmann, a partner in the law firm Bingham McCutchen who specializes in broker-dealer issues, says the FINRA rule keeps most content standards largely the same, but there are changes that will require updates to broker-dealers' policies and procedures for advertising, marketing, and sales materials.

Retail communication and correspondence, as defined in the new rule, includes any outreach, written or posted online, made available to more than 25 retail investors. Hard copy advertisements and sales materials aimed at this segment require pre-approval from a principal of the firm. Communications made via social media, however, often posted in real-time, are exempt from pre-approval as long as they make no specific investment recommendations and the content is later reviewed, cataloged and discoverable.

OCC PROPOSED GUIDANCE

The following is from the Office of the Comptroller of the Currency's proposed guidance on social media for financial institutions.

Compliance Risk Management Expectations for Social Media

A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media.

The size and complexity of the risk management program should be commensurate with the breadth of the financial institution's involvement in this medium. For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing.

A financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms described above and provide guidance for employee use of social media.

Components of a risk management program should include the following:

A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;

Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;

A due diligence process for selecting and managing third-party service provider relationships in connection with social media;

An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;

An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;

Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and

Parameters for providing appropriate reporting to the financial institution's board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

Source: Office of the Comptroller of the Currency.

Another change eliminates the distinction between existing and prospective customers. “Pretty much any time you are going to send something out to more than 25 people in a 30-day period it's going to be considered retail communication,” Weissmann says.

The new rule states that a firm may not treat a communication as “institutional” if it has any reason to think that it has been forwarded to a retail investor. It adds new responsibilities for firms that discover those lines have been blurred by a third party.

“FINRA has put down more of a marker,” Weissmann says. “It is pretty clear that if you are in a situation where you give another firm an institutional communication and now learn it has been sent to retail investors, you need to be proactive. You don't need to be out there actually monitoring these other firms, you are not their supervisors, but once you learn of it you have to do something about it before you can continue to give this firm these communications.”

Some firms, Weissmann says, have decided to treat nearly everything they send as retail communications, in order to cover themselves.

“The day you learn a piece of institutional communication was sent to retail investors is way too late to start drafting policies and procedures, or to start coming up with a plan of attack for what you are going to do to remedy the situation,” he says. “You need to have thought that through ahead of time.”

Mark Catone, senior director of compliance technologies for National Regulatory Services, says many firms will find the new rules add to a workload they can barely keep up with already.

“I was with a customer last week that had two- to three-foot stacks of paper of advertising review materials on their desk,” he says. “It is very paper-driven. If you have ever visited one of the firms and walked through their compliance department you can see the challenges. There are stacks and stacks of things and you can imagine having to be able to track all that.”

The added work comes even though firms are not getting “significantly increased budgets for the compliance function” and have to deal with increased regulatory demands, Catone says.

The use of everything from PowerPoint slides, videos, and audio recordings now fall into the realm of communications and need to be accessible and reportable during a regulatory examination. Even e-mails, without proper tracking, create risk, “as they become fragmented and lost if they are not consolidated,” Catone says.

FINRA collectively fined member-firms $21.1 million during 2011 due to advertising violations, up from $4.75 million in 2010. In 2011, 1 of every 3 FINRA sanctions was due to an advertising violation. “Firms are realizing the severity of non-compliance,” Catone says.