Mutual fund and exchange-traded fund (ETF) firm adoption of social media has hit a bit of a bump in the road. Maybe it was bound to happen.
Overall, employees seem to have been tickled about their firms wading into social media—it wouldn’t have been believed possible when many employees signed on.
But because Marketing has tended to the nitty-gritty of how the corporate social accounts need to be managed, few employees have had intimate knowledge of the long reach of FINRA when it comes to communicating on other domains.
It’s only now that firms are beginning to empower wholesalers and other employees to actively participate (more than the establishment of a profile) on LinkedIn, the rest of the firm is being introduced to the cold hard fact that business communications on social networks fall within the purview of Compliance.
Based on multiple conversations I’ve had with marketers over the last several weeks, some employees object to Compliance requiring them to use their business email addresses as their primary email address on LinkedIn. And, some smart at the idea that all those communications will be archived by the firm.
Perhaps it’s an overstatement to appropriate the Gartner hype cycle chart here. Employee expectations have never been inflated, and I doubt there’s deep disillusionment now. But learning the implications of participation is reportedly giving employees pause and even stopping a few in their tracks. Those who insist on total control are opting out of LinkedIn altogether.
The whole "activation" phase leading to enlightenment and productivity is not going as smoothly as hoped.
This discussion finds firms assuming some black-and-white positions (for registered employees) and navigating a gray area for non-registered employees.
I’ve reached out to three leading social media archiving vendors to get a better feel for how firms across the board are balancing FINRA requirements, Compliance and IT issues, and employee concerns.
Since the beginning, the archivers have embraced the need to educate the market (see this 2011 report) and their contributions here are yet another example. None of their comments can take the place of legal advice, of course. Below you’ll also see comments from Blane Warrene, a friend and someone familiar with best practices from his work as co-founder of Arkovi, since acquired by RegEd.
Hope these help.
2 Approaches To 'A Lively Conversation’
From Joanna Belbey, Social Media and Compliance Specialist, Actiance: Financial services is an industry that has regulatory requirements that require firms to capture, archive and make e-discoverable all “business” electronic communications. These requirements are called “recordkeeping” or “books and records.”
The regulators make it quite clear that “content is determinative.” Therefore, it doesn’t matter if it’s a corporate email from a firm-issued device, an instant message on a personal device, an update on a collaboration tool or a post on a social media site, if it’s a business record, it’s subject to recordkeeping requirements.
Firms are challenged to create policies that define the types of business records that will be captured and to use technology to support the policy.
Fifteen to 20 years ago, all firms had to worry about was email. Now the communications landscape is much more complex. To make it even more complex, employees may “channel hop,” i.e., have a conversation that starts on the phone, and then moves to email, instant messaging or even social media. In the end, the communications stream may need to be reconstructed so that regulators or litigators may understand the conversation in context.
Recordkeeping polices are always a lively conversation at regulated firms among Legal, Compliance and Risk Departments. The goal is to retain just enough to satisfy regulators, while limiting liability. After all, the more information you retain, the greater the risk that regulators or litigators will find something, and the more expensive it is for archiving and retrieval.
Based on the culture of compliance at a firm, here are two approaches that we’ve seen for InMail within LinkedIn:
1) Some firms elect not to retain InMail. For these firms, personal emails are posted as the primary email address, and non-business-related communications are sent through LinkedIn.
Employees post a message on their profiles such as "I cannot respond to any communications or questions about the financial services industry via LinkedIn. Please use my company email address for all business-related inquiries."
The use of InMail is allowed only to make connections and InMail is not to be used as a broadcast or “blast” medium. Any InMail received that is business-related is forwarded to the company email account and replied to via corporate email only.
This approach relies on clear social media polices, training and judgment on the part of employees. To mitigate the risk of non-compliance with recordkeeping requirements, firms need to put processes in place to spot check adherence to polices.
2) Most firms elect to retain all InMail.For these firms, company email addresses are typically posted as the primary email address on LinkedIn and all communications (both personal and professional) are sent through LinkedIn. All communications are monitored and retained, regardless of whether the communications are personal or professional.
The advantage of this approach is that processes are clear cut, can be automated with technology and resemble existing policies around email. The downside is that employees may object to their personal communications being archived and although it meets regulatory requirements, it may increase the risk of liability for the firm.
At the end of the day, every firm is different and will need to create recordkeeping polices and processes based on their culture of compliance and risk tolerance.
Planning To Use The Account? Archive It
From Victor Gaxiola, Customer Advocacy Manager, Hearsay Social, after conferring with the firm’s Head of Legal/Compliance: If the expectation is that LinkedIn will in any way be used for business, then it is appropriate for the business email address to be listed as the primary contact.
However, if the employee plans only to have a static profile, and will not be updating or sharing content that is business-related, then they can use their personal email address. In this case, a firm may ask the employee not to associate with the firm to avoid the risk of sharing a business-related post that would make them liable.
Employees who push back on the use of a work email address as a primary email address—especially if the activity is being monitored or archived—stems more from a concern that they could be looking for work or applying for jobs, and they don't want any of that activity to be captured.
Use of the work email or personal email does not make any difference in the liability of the firm as much as the content the employees are sharing does.
Regardless of whether they use a personal or a work email address as their primary address, if the registered employee is using LinkedIn for business and is sharing content related to the industry, then the firm has a responsibility to monitor, archive and retain records of the activity.
It's similar to the use of a private vs. company-sponsored device where the content is determinative—not the medium. This is covered in FINRA Regulatory Notice 11-39(link opens a PDF).
Client-Facing Is The Test
From Bruce Milne, executive vice president, Socialware: In our experience, employers see a significant risk in regulated employees using LinkedIn for business purposes but using an alternate email address for conducting 1:1 communications. A few not-insignificant fines and censures have been levied against firms that allowed financial advisor-to-client communications to happen through alternate email channels.
FINRA has interpreted any use of LinkedIn for registered employees as "business use," so archiving, post-review and all the other compliance rules apply.
For non-registered employees, however, the rules become less clear. The distinction that we have typically seen is that employees who are client-facing, who have communications with clients through LinkedIn, must use a firm address and track all communications.
Non-registered employees who use LinkedIn strictly for personal use may use a personal email, and will not likely be archived (firms don't not want the additional risk of archiving personal information from peoples' social networks unnecessarily).
The technical process of archiving is neither difficult nor particularly expensive, but archiving personal conversations may create reputational, legal or other risks. In this instance, the standard is to require them to not use the name of their employer.
We have received a few requests now for firms to extend the same access controls and compliance features that we provide to registered employees to all corporate employees on their work desktops, but only for the duration of their workday. If they use social media at work, the firms would like to limit what activities they can do (and monitor for data leakage, etc.)
But in their off-hours, the employees—using their own social network profiles on their own personal devices—are on their own recognizance.
Best Practice: Acquire Voluntary Attestation
- There is mixed precedent set in U.S. courts regarding who owns the LinkedIn profile in general, as well as contacts acquired during employment with a firm.
- If an existing LinkedIn account was in place, it is a challenge to try and force the employee to make the business email address primary unless the person is explicitly registered and subject to FINRA supervision and attests voluntarily to use their LinkedIn account for business purposes to the benefit of their employer. You have to also watch how the National Labor Relations Board approaches this as much as any industry regulatory body.
- It does open up the need to archive InMail, and that is also a challenge as folks have wide networks beyond the office and often communicate via InMail. This can bump up against myriad state and federal laws, statutes and guidelines.
A best practice would be:
- Focus on assuring that profiles are set up optimally and compliantly.
- Have a clear policy, legally vetted, on who owns what data on LinkedIn when accounts are being used for business purposes and then acquire voluntary attestation to that policy for all participants.
- Be certain to offer up great tips, techniques and genuine relevant brand content that participants can share to seek engagement from their networks.