Social Networking Carries Real Compliance Risks

Written by Steven Randall and Veronika Fritz, Partners, Vonya Global

Social Media Risk

Between all the bathing suit selfies and Worldwide Wrestling fan pages, social media seems, well, silly and inconsequential.

It becomes less silly when the FDIC or FTC come knocking because they caught you sneaking an ad into your blog post, or an advisor made a statement (good or bad) about your company without disclosing employment. Social media is electronic communication like any other, and yes, it’s regulated—particularly in the financial service industry and healthcare, but in all industries to a degree.

You would think that social media falls under labor relations or equal employment, because those are the stories that make the news. Recall Lindsay Stone who, while on a work trip to Arlington National Cemetery, was pictured on social media shouting and flipping the bird beside a sign reading “Silence and Respect.” Or, Marine Sergeant Gary Stein who declared “S**ew Obama. I will not follow all orders from him.” Stone was fired and Stein was granted an “other than honorable discharge,” and neither had any recourse. They were on the job at the time of their ill-advised postings.Social Media Compliance

True, the National Labor Relations Board (NLRB ) does draw clear lines on what is allowable. It states that federal law “gives employees the right” to join together on Facebook, Twitter, etc. to improve their lives at work, viewing it as a “protected concerted activity.” But if in the course of that activity an employee slags the company as a “Hell hole” and disparages the product, or simply embarrasses the employer, then the employer has a legitimate complaint.

NLRB aside, following are just a few examples of social media oversight, and most are specific to financial services:

  • Federal Deposit Insurance Corporation: No hiding ads in Facebook, tweets or blog posts. FDIC requires an advertising statement and use of the FDIC logo (12 CFR § 328.3). Further, banks advertising loans for dwellings over social media (and elsewhere) must include the Equal Housing Lender logo.
  • Federal Trade Commission: FTC guidelines require disclosures on social media of a blogger or poster’s relationship with a company.
  • The Financial Industry Regulatory Authority (FINRA): FINRA Rule 2210(c)(6) includes social media among the written communications that are subject to periodic spot-checks. FINRA’s Advertising Regulation Department requests that you provide (among other items) an explanation about how a firm uses Facebook, LinkedIn, Twitter, blogs, etc.; the identities of the people who use them; and an explanation of the measures your firm uses to monitor compliance with the firm’s social media policies (e.g., training meetings, annual certification, technology). Absence of those policies is a violation.
  • The Securities and Exchange Commission: The SEC allows companies to use social media (e.g., Facebook and Twitter) to announce key information in compliance with Regulation Fair Disclosure (Regulation FD), but—investors must be alerted to which social media will be used. So the postings themselves are not enough. And like FINRA, investment advisers are strongly encouraged to create a compliance program and periodically evaluate the effectiveness of it.
  • The Gramm-Leach-Bliley Act: The GLBA enforces protection of private information. It obliges financial institutions to protect the customers’ personal information, including on social media (which GLBA sees as public). And it requires disclosures when collecting data over social media (e.g., how the data will be used), and providing opt-out. And it comes down hard on pretexting, which is using false pretenses to obtain private information.
  • HIPAA: Under the Health Insurance Portability and Accountability Act, healthcare professionals can be (and have been) fired with little recourse for discussing patients in elevators; certainly for discussing patients in electronic communications.

The list goes on. And on.

Policies, audits, enforcement and expertise

Oftentimes—we hope, more often than not—a violation is a mistake, with no ill intent toward the company or its customers. A financial adviser understands exactly what’s prohibited in a phone call or written communication, but saw no harm in a LinkedIn or Facebook post.

But alas, that is ignorance of the law, and ignorance is no defense.

A short list of recommendations:

  • A company must have a written social media policy in effect, and evidence that employees are aware of the policy (such as their signature on a document, their attendance at training).
  • The policy must be clear. Employees must understand just what FTC, GLBA, the SEC and so forth require of them, and in turn, what the company requires of them.
  • The company must conduct internal audits. Audits and corrective action go far with the Fed, as does self-reporting. While not a social media case, the Justice Department in 2012 decided not to prosecute Morgan Stanley for Foreign Corrupt Practices Act (FCPA) violations when it proved that its former Managing Director Garth Peterson, who had taken and issued bribes, had been trained in FCPA compliance seven times on FCPA and had been issued 35 reminders about compliance. It also regularly monitored transactions and randomly audited employees, transactions and business units. Morgan Stanley did due diligence, and fessed up when its efforts failed.
  • Create a steering committee to write the policy. The steering committee should include any business unit with a stake in social media, including marketing, risk, sales, legal, IT, HR and IA, among others.
  • Monitor social media. No, you needn’t task your Internal Audit team or corporate counsel, when electronic tools exist. Bear in mind that marketers routinely monitor social media to gauge customer sentiment. Compliance officers can do the same with tools like computer assisted review (CAR), which looks for (among other behaviors) excessive communication between two people and odd statements like “I made a killing on the market” or “Put one over on my boss today.” Tools like these can review 2 million documents in under a week with startling accuracy, something no IA team could ever do.

Finally, a company should consider hiring an independent third party audit firm which can identify and remediate your exposures (and help you craft that social media policy). An audit consultancy worth its salt will be as up-to-date on regulatory compliance as are accountants are on tax codes.

Yes, social media can get awfully silly. It can be equally serious as well.

This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services; a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors; a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research; the President of the Oz Park Baseball Association, a not-for-profit organization dedicated to providing fundamental based baseball in a safe environment in the city of Chicago; and an Advisory Board Member of the Chicago Youth Baseball Initiative, a University of Illinois at Chicago community group dedicated to providing Chicago youth with the opportunity to play baseball in a fun and safe environment, while offering educational experiences on a world-class college campus. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a question for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Veronika Fritz - Internal Audit ExecutiveThis blog post was written by Veronika Fritz. Veronika is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. Veronika is a CPA with over 18 years of audit and management experience. Her experience covers all areas of business including compliance, financial, operational and IT. She has led the planning, development and successful execution of financial audits, Sarbanes-Oxley Engagements, pre- and post-implementation ERP system reviews, and business process evaluations. Veronika has expert knowledge in evaluating the design, integrity, effectiveness and reliability of internal controls for financial reporting processes and Enterprise Resource Planning software. She has been a trusted advisor to companies spanning various industries. If you would like more information about Vonya Global or if you have a questions for Veronika, you may contact her through this blog, the company website, twitter, or her LinkedIn Profile.