Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Welcome to the jumbotron

Bill Coffin | May 1, 2017

In a recent phone call, I described e-mail newsletters as the prehistoric shark of digital communication: ancient, unevolved, but somehow still able to get the job done. But even by those standards, various forms of social media are steadily emerging as our new primary method of electronic communication, and with it comes a host of regulatory and compliance concerns.

FINRA noted this recently in its Regulatory Notice 17-18: Social Media and Digital Communications, released in April. This follows up a few older notices that reflects how FINRA—like everybody else—has tried to keep pace with the swiftly developing capabilities and usage of social media platforms, apps, and mobile technology. Underpinning 17-18 are some facts that nobody can argue with:

  • In 2005, just seven percent of adults used social networking sites. Today, 65 percent do. We’re probably still on the shallow side of the hockey stick there, to be honest.
  • Social media makes heavy use of native advertising and content that might look independent but actually isn’t. Social media advertising is likely to outstrip all other forms of online display advertising in the next five years. Good news: no more banner ads! Bad news: more fake news stories trying to sell you something.
  • 64 percent of American adults own a smartphone. Virtually everybody who owns a smartphone uses it to text regularly. This time last year, there were 900 million active Facebook Messenger users; that number has surely topped a billion since then. Other chatting apps such as WeChat are adding as much as 200 million monthly active users from 2015-2016. 200 million people is somewhere between the populations of Pakistan and Brazil. Not a small number of people.

In the face of these kinds of trends, FINRA noted that going forward, financial services companies are going to have to archive all social media interactions with their clients, which includes mobile mesaging apps, text messages, native advertising, and content that is less than objective and meant to sway opinion. Moreover, according to Mike Pagani, chief evangelist at enterprise archiving company Smarsh, FINRA rule 22-10 from 2013 makes all of this guidance potentially enforceable. It all adds up to a scenario where companies simply have to start archiving their entire social media footprint in such a way that (a) they can actually capture all ingoing and outgoing communications that pertain to their business, (b) store this data in a way that can be easily retrieved when needed, and (c) done so in a way that does not infringe upon employees’ ability to use social media personally.

These things are all easier said than done, Pagani told me in a recent conversation, especially since current supervising processes are broken. It doesn’t make sense to spotcheck tiny slices of social media traffic for signs of inappropriate communication, because it’s like looking for a needle in a haystack. While Pagani would be the first to admit that his feelings on this issue are connected to Smarsh’s line of business, the truth is that the only way a company can properly comply with current and future regulations on this front is to build a system that can archive all communications and sift through them for signs of trouble; perhaps automatically at first, and then using a more human-driven, qualitative approach on a second or third pass.

Another point, Pagani noted, is that examiners have data scientists now who are experts in pulling data from mobile devices, or at looking across entire organizations, or at getting data directly from third parties such as mobile carriers. One way companies might address this is to embrace it. Prohibiting people from using their mobile phones or social media platforms for business never works. Better to adopt what Pagani calls a “bring your own persona” approach and simply require employees to grant their employer full access to their devices, provided that employer also agrees to some kind of condition that this access won’t be abused or used for anything other than compliance purposes. A lot of folks might balk at this, but I think there’s something to it. After all, most mobile and social users already surrender most of their privacy in bits and pieces; they just don’t realize how much of their lives are out in the open. Doing it out in the open at work is not just a great way to help provide your employer with a better compliance regime, but frankly? It’s a great way to remind oneself that what they say and do online is fully discoverable.

I have long adopted the mindset of not putting anything on social media that I wouldn’t feel comfortable broadcasting on the Times Square jumbotron. As we see automated, AI-driven tools develop better capabilities to sift through all of our communications, that jumbotron approach might not just be a social media strategy. It might just be the reality for anybody who hasn’t opted out of digital and mobile communications altogether.

Welcome to the jumbotron, everybody. The good news is, most of you have already been on it for years.