The Financial Industry Regulatory Authority's (FINRA) constantly updated record of disciplinary actions contains a mixed bag of run-of-the-mill infractions, unethical behavior, and large-scale corporate misconduct and regulatory failures. While the rules and regulations at the heart of these disciplinary actions are updated to keep pace with our changing economic and cultural landscape, there are certain themes and motives that are unchanging, even after 12 years of FINRA regulation.
Since FINRA was created in 2007, a lot has changed—but more has stayed the same. Initially, FINRA (or, more precisely, its predecessor, the National Association of Security Dealers, or NASD) didn’t even contemplate online activity; today, multiple rules, and multiple monthly violations, concern digital online communications.
The core purpose of FINRA has consistently been to ensure the protection of the investing public; the surface details might change with new rules and technologies, but the underlying rules of engagement remain the same.
As a recently approved new member of FINRA's Compliance Vendor Directory, it’s our responsibility to know about the day-to-day happenings with regulatory bodies like FINRA and the principles that underlie those developments—especially as they relate to archiving, managing, and supervising online communications, which is what our technology is focused on helping compliance teams with.
Retaining Records: The Foundation for FINRA Compliance
An organization's compliance with FINRA regulations is only as good as their proof of compliance, which is why recordkeeping is so important. Your financial services firm can provide all the right disclaimers, make well-researched, specific recommendations that are suitable to your customers, and supervise everyone appropriately, but if you can’t establish through your records that you took those actions, from the perspective of a regulator, it's as if you didn't.
Those recordkeeping requirements clearly extend to social media and online communications. Starting in 2010, with Regulatory Notice 10-06, FINRA consolidated and clarified its prior guidance, with the intention of “ensur[ing] that—as the use of social media sites increases over time—investors are protected from false or misleading claims and representations, and firms are able to effectively and appropriately supervise their associated persons’ participation in these sites.”
To achieve those dual goals, and, just as importantly, to prove compliance with those goals, Regulatory Notice 10-06 requires that firms using online and social media sites to communicate with the public retain records of those communications.
But what communications, exactly? The regulation states that “the content of the communication is determinative,” such that “a broker-dealer must retain those electronic communications that relate to its ‘business as such.’”
FINRA Regulatory Notice 17-18 extended that rule to text messages, instant messages, and chat applications, necessitating that “every firm that intends to communicate, or permits its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required.” So, retain your online communications with the public and you’re good to go, right? It’s never that simple.
Under FINRA Regulatory Notice 11-39, “Whether a particular communication is related to the business of the firm depends upon the facts and circumstances [of the communication]. This analysis does not depend upon the type of device or technology used to transmit the communication, nor does it depend upon whether it is a firm-issued or personal device of the individual; rather, the content of the communication is determinative.” Similarly, Regulatory Notice 10-06 clarified that “whether a particular communication constitutes a ‘recommendation’ for purposes of Rule 2310 will depend on the facts and circumstances of the communication.”
How do you establish the “facts and circumstances” of online communications? It’s simple, but not easy: you need to capture and retain the full context that surrounds that communication.
For social media communications, this may mean capturing an entire thread of comments and reactions under a post. For other online communications, this could mean archiving videos, animations, interactive or personalized features, or fillable forms and calculators. But that isn't the extent of FINRA's recordkeeping requirements.
Regulatory Notice 10-06 notes that firms can “adopt” content by “explicitly or implicitly endors[ing] or approv[ing] the content.” With social media, content may be adopted when it is “liked.” As Regulatory Notice 17-18 plainly states, “By liking or sharing [a third party’s] favorable comments, the representative has adopted them and they are subject to the communications rules, including the prohibition on misleading or incomplete statements or claims, the testimonial requirements, and the supervision and recordkeeping rules.”
Links—the defining trait of the internet—can also set up an adoption theory.
Under Regulatory Notice 11-39, “Firms may not establish a link to any third-party site that the firm knows or has reason to know contains false or misleading content. A firm should not include a link on its website if there are any red flags that indicate the linked site contains false or misleading content.”
Regulatory Notice 17-18 explicitly extended that analysis to social media sites, noting that “By sharing or linking to specific content, the firm has adopted the content and would be responsible for ensuring that, when read in context with the statements in the originating post, the content complies with the same standards as communications created by, or on behalf of, the firm.”
Archives, then, must include not just a firm’s social media posts, but also all of the comments and reactions that form the “facts and circumstances” surrounding those posts. Likewise, firms must retain records of both the pages that it explicitly authors as well as any pages that its own pages link to.
Supervising Communications: The Need for Navigable Archives
Recordkeeping may be at the heart of compliance, but it doesn’t do any good for firms to merely create records and then ignore them until they’re subject to a regulatory investigation. Rather, firms need archives that work—that are reviewable, navigable, and functional—so that they can use them to monitor and supervise ongoing communications. Why?
Regulatory Notice 10-06 requires that “Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors.”
Regulatory Notice 11-39 clarified that “FINRA considers unscripted participation in an interactive electronic forum to come within the definition of ‘public appearance’ under NASD Rule 2210.” While these communications do not require pre-approval, firms must supervise their personnel “to ensure that interactive electronic communications do not violate FINRA or SEC rules, including the content requirements of NASD Rule 2210, such as the prohibition on misleading statements or claims and the requirement that communications be fair and balanced.”
Many failures of supervision are minor...until they're not. Recently, one firm was fined $300,000 for failing to reasonably supervise an associated person who conspired with a third party—who turned out to be a con man—to defraud a customer. The firm didn’t just inadequately supervise the associated person, either. It “failed to reasonably investigate” her conduct, did not “respond to ‘red flags’” regarding her actions, and did not “appropriately escalate” communications. The end result? Millions of the customer’s dollars were misappropriated. This is why firms must have the ability to review their online communications, identify those that may warrant concern, and follow up where needed. And some associated persons require even more than the standard level of supervision.
Regulatory Notice 18-15 requires that associated persons with “a history of past misconduct” should be subject to “heightened supervision.” Compliance requires that firms have the means to identify associated persons requiring that heightened supervision, as well as a method to confirm that they have reviewed their communications and provided the appropriate supervision.
We’re curious to see how FINRA's rules and regulations evolve with the new, emerging technology being used by the organizations it governs. It’s easy enough to review emails, but emails aren't the only way to exchange information online anymore, and supervising those other types of online communications requires a bit more technical expertise. Rather than wading through stacks of screenshots or PDF files, you need functional archives that allow you to navigate in real time, click through links, and explore social media content.
To put it simply, adequate supervision demands archives with integrity.
Hanzo specializes in identifying, capturing, and archiving complex, dynamic, unstructured data from websites, social media platforms, and collaboration applications. Our technology is purpose-built specifically for professionals in regulatory compliance and eDiscovery, so we know a thing or two about regulatory investigations, recordkeeping requirements, and legally solid, admissible evidence.