Instant messaging (IM) and social media have taken the corporate world by storm. Since their creation, these messaging channels have become a fundamental facet of business dealings. Many companies have taken to social media to share and promote their products, and have also adopted IM applications to ensure ease of communication and boost efficiency internally and externally.
Though IM and social media platforms are being implemented and embraced by businesses worldwide, it remains critical to ensure that all compliance implications are assessed, to mitigate associated risks.
Indeed reported that more than 40% of American workers communicate via IM at work. It is clear that regardless of policy (or lack thereof), business staff can, and often will, find a way to connect through the most convenient channels.
As Assistant Attorney General, Kenneth A. Polite, said in his keynote remarks at the ABA’s 38th Annual National Institute on White Collar Crime:
“In today’s day and age, the use of these services is ubiquitous. Just as we expect corporations to adapt to the realities of modern life and update their policies and practices accordingly, so too does the [Department of Justice].”
It is no longer possible to simply ignore IM and social media as business tools – these forms of communication are now well established, and are not going anywhere. The world has become irreversibly digital, and to stay ‘in the now’, organizations must follow suit to prevent being left behind.
Policy management, please!
It is often said that ‘honesty is the best policy’. When it comes to social media and IM, policies are the best policies – working alongside honesty to ensure compliance. The implementation of effective policies allows compliance teams to demonstrate that they are keeping abreast of developments to remain accountable to all regulatory bodies.
Organizations who choose to ignore these platforms will be at risk of falling behind, as many companies have moved to adopt new technologies to appeal to clients and foster a productive work environment for staff. Banning emerging messaging platforms will simply not suffice, as channel bans have proved to be both ineffective and non-compliant. In a press release detailing the Security and Exchange Commission’s (SEC) charges against 11 Wall Street firms for recordkeeping failures, all were found to be insufficiently supervising staff’s use of communication channels:
“Each of the broker-dealers was charged with violating certain recordkeeping provisions of the Securities Exchange Act of 1934 and with failing to reasonably supervise with a view to preventing and detecting those violations.”
The repercussions are certainly undesirable, which may cause hesitancy when it comes to fully utilizing these applications. Despite the risks, organizations have experienced rampant success in harnessing new communication channels, especially with engagement opportunities, ease of use, company growth, visibility, client preference, and optimized processes.
When it comes to emerging social media or IM channels, implementing clear policies is essential to avoid regulatory scrutiny. In the same way that media personality Kim Kardashian was fined for promoting crypto on Instagram, your organization’s staff could improperly use social media and face inevitable repercussions. Without clear guardrails for messaging apps, individuals will use all channels for business – potentially to the detriment of compliance.
The Commodity Futures Trading Commission (CFTC) Commissioner Kristin N. Johnson said in a statement regarding the CFTC reaching over $1 billion in civil monetary penalties related to off-channel communications:
“Employees’ increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks posed by unauthorized use of chat and text platforms.”
If you do not have suitable policies and procedures in place concerning sensitive information transmitted over social media and IM communications, how can you ensure your data is being captured compliantly, and your clients are safeguarded?
Where to start?
The only way to minimize risks is to put a policy in place. Don’t have a policy yet? Don’t fret. When creating and maintaining a policy, clear steps exist to ensure complete capture of all data:
- Before policies are even constructed, decide what team will partake in forming these policies and who will oversee communication platforms and employees’ use of them, eliminate problems, and update policies as needed. These departments could include Communications, Legal, HR, and Compliance, to name a few, and will depend on the size and structure of your company.
After determining which teams and departments will manage these policies, begin creating them. Each one will need to be distinct and well-defined in which type of communication it addresses – a policy on social media posts will be different than a policy on messaging apps, for example, as the rules for each unique form of communication vary. Several departments may supervise separate policies depending on who utilizes IM and social media applications within the organization. If the marketing team is the main operator of social media posts at your company, related policies will mainly apply to them.
Upon official implementation, it is vital to circulate policies and provide training on them. Employees must know these guidelines exist, where to find them, how to stay compliant, and who can answer any questions that arise. This is particularly crucial for new employees. Make sure all staff knows that any communication related to the business – whether written, spoken, or videotaped – is data that must be recorded as per federal regulations.
The Advisers Act also requires that advisers review the adequacy of compliance policies and their effectiveness at least annually. Do not let your policies go stale. - Know the rules. The SEC has established numerous rules and guidelines to outline required communication archiving procedures on social media and IM since they have become a bigger part of business practices over the past decades.
In 2020, the SEC made updates to the Advisers Act to create what is known as the Marketing Rule, which notes how organizations must handle advertisements and marketing communications, including those posted on social media, to stay compliant with regulations. Some of these points include proper practices relating to ads, testimonial and endorsement use, third-party ratings, and recordkeeping requirements.
As stated in amended Rule 204-2, organizations also need to make and keep all copies of advertisements directly or indirectly disseminated, or they will be subject to fines. Creating and preserving a well-maintained archive is of utmost importance to avoid these penalties.
It is also essential to consider all guidelines stated in the SEC’s Regulation Fair Disclosure (FD). Regulation FD requires public companies to disclose material non-public information shared with private individuals. This requirement circumvents a situation where only certain shareholders have knowledge of substantial company information and aims to help level the playing field between investors and the general public.
Violations of both the Marketing Rule and Regulation FD have resulted in fines and penalties. Elon Musk, CEO of Tesla, was charged with securities fraud for tweeting misleading information about taking Tesla private. Though this fine was charged of an individual as opposed to a company, it warns of the danger organizations can face if they are not following federal regulations.
With regards to IM, Rule 17a-4 details the manner and length of time that all communication records must be maintained and produced to Commission representatives. This rule also requires that broker-dealers preserve communications received and all copies of communications sent in an easily accessible place.
Knowing this, information about regulatory rules must be included in your policies so that employees understand the steps they need to follow. Compliance teams must also have a firm grasp of these rules so they know what to look for when surveilling communication applications. - Foster a collaborative and compliant culture. While it is necessary that employees understand their role in upholding compliance, it is just as important that management sets a good precedent for how to behave and accurately follow procedures at your organization. A transparent and open company culture that demonstrates appropriate behavior from the top-down will encourage conformity and prove to your staff that executives and leaders are practicing what they preach.
While this idea seems obvious, it has often been the case in recent violations that those engaging in illicit communications have been senior leaders. In a statement published in August this year, CFTC Commissioner Christy Goldsmith Romero stressed this point by urging C-suite members to lead by example:
“Tone at the top dictates a bank’s culture and that tone must change on Wall Street and large foreign banks. The tone at the top the CFTC found was one of evasion, keeping regulators in the dark. Change can only happen if the bank’s C-suite establishes a culture of compliance over evasion. It is far past time for the C-suite to step up.” - Alongside keeping organizations away from regulatory pitfalls, policies help keep client information safeguarded. Financial institutions are constantly working with sensitive client data, which means safety is non-negotiable. As stated by the Center for Strategic and International Studies, financial institutions are prime targets of cyberattacks, as cyber criminals are able to profit through extortion, theft, and fraud.
Effective policies that explain how to carefully communicate on social platforms will help raise staff awareness and add an extra layer of defense to combat these attacks. Additionally, in case any suspicious activity does occur, functional procedures and archiving assist in detecting these occurrences and provide an audit trail of communications. Without these guidelines, your clients’ data could be compromised. Not only will this lead to a loss of trust – it can damage business integrity. - Find and implement the right tools to support smooth policy execution. This could include integrating technology from a third-party provider to retain compliant communications through reliable archiving. Do research when selecting a provider to make sure the one in question offers an end-to-end solution that is responsive, secure, and trustworthy.
Appropriate recordkeeping includes commissioning a secure archiving solution, which can guarantee smooth access and retrieval of all documentation to abide by regulatory retention rules.
Also, keep a regular schedule for auditing. Your compliance team needs to review and assess policies to determine if updates are needed for reasons like changes to the business or its risk profile. Implemented archiving technologies should also be audited for continued functionality.
While it may seem easier to brush off IM and social media platforms altogether, it is wise to stay ahead of the game and prepare for any situation that can occur. As these new applications and methods of connection take over, regulators will only continue to become more watchful of financial institutions’ operations.
To avoid getting caught in the crosshairs of these violations, be proactive in producing and implementing policies at your institution to keep in line with regulators’ rules and remain risk-free.
