As ever more companies use social media messaging, the compliance risks (and outright violations) proliferate right along with them. Two recent studies on the current state of social media underline just how vast and evolving that risk landscape is.
According to one analysis conducted by cloud-based solutions provider ProofPoint, the average Fortune 100 firm now has 320 social media accounts, which generated 500,000 posts originating from more than 1,159 employees during the period from July 2013 to June 2014.
Such a vast volume of accounts makes manual monitoring and enforcement nearly impossible for compliance departments today. “Assuming one minute of review per message, the average Fortune 100 company would spend 8,333 hours per year on a compliance review,” the report stated. (We’ll help with the math: A year has only 8,760 hours in total.)
Despite the compliance headaches posed by social media usage, compliance officers no longer approach such communication channels by employees with the hesitation they once did. According to another recent report conducted by Smarsh, just 39 percent of corporate executives in the financial services industry allowed LinkedIn in 2011. This year that number was 72 percent, followed by Twitter and Facebook, which were at 30 percent and 11 percent, respectively.
“Compliance officers are starting to accept the fact that new and emerging forms of communication are commonplace,” says Steven Marsh, chief executive officer and founder of Smarsh, which makes e-mail archiving software. “It’s no longer something that should be viewed as forbidden.”
Increased used of social media, however, means increased compliance risks, because regulators view social media like any other public communication channel—that is, subject to existing earnings disclosure, truth in advertising, and data privacy regulations. They specifically target companies whose social media communication is “ambiguous, unclear, or has the potential to deceive the public regarding their products and services,” says Mike Lee, director of social media solutions for social media security and compliance firm Nexgate, a division of Proofpoint.
Proofpoint’s analysis identified a total of 6,907 compliance violations (roughly 69 incidents per firm) spanning the following five categories:
Financial services standards;
Confidential corporate activity;
Life sciences standards;
Cross-industry standards; and
Regulated personal information.
The largest volume of compliance incidents resulted from violations of financial services standards. Lee cites several reasons for this, including that financial services firms are well represented in the Fortune 100 (a total of 21 firms); they are more apt to use social media than other industries; and they are subject to strict social media regulations.
“Compliance officers are starting to accept the fact that new and emerging forms of communication are commonplace. It’s no longer something that should be viewed as forbidden.”
Steven Marsh, Chief Executive Officer, Smarsh
Of the 5,565 compliance violations that occurred in this industry, most (4,898 incidents) resulted from customer response incidents in violation of FINRA Rule 4530(d). That rule requires regulated firms to report quarterly statistical and summary information regarding written customer complaints.
The second-highest number of compliance incidents (463) related to truth in lending violations, which govern advertising related to consumer credit accounts. Facebook posts or tweets about credit offerings cannot just include disclosures of annual percentage rates, for example. They must also disclose specified loan features such as down payment requirements, repayment periods, and more.
From a practical standpoint, mitigating violations of customer response incidents and truth in lending violations requires that financial services firms review both employee and public commenter posts. That can be an impossible task for any company that manages hundreds, or even thousands, of accounts each day. “Monitoring those communications between that large of a population becomes a very significant scale issue,” Lee says. Finding ways to monitor those kinds of communications without the encumbrance of manual moderation is critical, he says.
Both the ProofPoint and Smarsh report also spotlight the difficultly companies have in responding in a timely manner to FINRA requests for information. Since 2013, FINRA has conducted so-called “spot checks” of social media communications on selected firms, where it requests specific documentation that can demonstrate that the company is taking steps to comply with FINRA’s guidelines. “We know based on our interactions that organizations are struggling with these spot checks,” Lee says.
In a 2015 Examination Priorities Letter, FINRA similarly expressed this concern. “FINRA has experienced an increasing number of situations where some firms have repeatedly failed to provide timely responses to its information requests made in connection with examinations and investigations,” the agency stated in a letter. FINRA added that it “cautions firms that production failures expose firms to disciplinary action.”
In the Smarsh report, compliance officers in the financial industry cited three main factors that contribute to their overall lack of confidence in providing information to FINRA in a reasonable timeframe, including social media communications. The top factor, cited by 46 percent of respondents, is the complexity associated with searching across multiple platforms and applications to find the data. This complexity is compounded by a general lack of familiarity with the technology, cited by 45 percent of respondents, and limited staff resources, cited by 39 percent of respondents, the report stated.
Manually searching and tracking social media accounts on an ongoing basis requires countless hours to accomplish each task, not to mention that manual processes are more prone to human error. Hence the argument for automated social account discovery to reduce compliance headaches.
SOCIAL CHANNEL USAGE
The Smarsh Report compares the levels of allowed corporate activity for LinkedIn, Twitter, and Facebook in 2011 and 2015.
Some solutions on the market, for example, can “scan every single post made across the organization, across every single account, and at unlimited scale and do it in real-time,” Lee says. Automated tools can also alert compliance departments in real-time, so that incidents can be remediated immediately, rather than during an audit, he says.
“If you’re using an e-mail archival tool, a lot of vendors will automatically connect and archive social media accounts to the back-end infrastructure for retaining e-mail data,” Lee adds. “That’s a good starting point.”
The next step after you locate all your social accounts is figuring out how to retain that data—an area where companies have improved over the years. According to the Smarsh report, only 17 percent of firms archived at least one social media channel—LinkedIn, Facebook, or Twitter—in 2011. That number grew to an average of 30 percent archiving at least one channel the following year, and today it’s at 61 percent. That still leaves 32 percent of firms that don’t have a social media archiving solution in place.
Having an archiving platform in place gives compliance departments greater flexibility to “roll with the punches when new communication tools show up in the organization, or want to be used by the organization,” Marsh says.
Beyond the adoption of newer technologies, developing a robust social media compliance program that reduces risks requires that companies approach social media risks differently than traditional forms of communication.
“Unfortunately, social media has grown so quickly and each network has so many modes of communication that compliance practitioners are finding it difficult to simply transfer existing process to the practical realities of social,” the ProofPoint report stated. “The informal culture and pace of social discussion create an environment where well-meaning employees and customers are far more likely to make mistakes than other channels.”
Reducing the risk of potential social media violations begins with compliance working in partnership with other departments, including social media users (marketing and sales) and the information security team, Lee says. The primary role of this cross-functional team should be to assign roles and responsibilities within the organization for policy, training, enforcement, and audit, he says.
Compliance officers in the financial services industry have seen their roles evolve quite a bit by “taking a seat at the executive table and being an enabler of business practices,” Marsh says. Compliance increasingly is working with marketing and sales teams, for example, to facilitate the use of social media and ensure that it’s being used in a compliant manner, he says.
Another important factor of reducing social media risk is to develop a policy that details which social networks are approved for each account type, what content is allowed and not allowed, and which publishing tools should be used for corporate accounts and when content should be reviewed. “Compliance really needs to own it,” Lee says. “Assign ownership for implementing a policy that works.”
As companies lean on their compliance departments to produce increasingly more data, Marsh says, this will further elevate the roles and responsibilities of compliance moving forward.