true compliance for social media
DESCRIPTION
Financial Services industry recognizes that social media is a powerful, cost-effective channel to reach new customers and strengthen existing relationships. However, enabling the use of social within a corporate environment also has compliance and security implications.TRANSCRIPT
TrueCompliance™ for Social Media When”good enough” is not enough
It is no secret that social media within the financial services industry has
exploded over the last few years. The industry recognises that social media
is a powerful, cost-effective channel to reach new customers and strengthen
existing relationships. However, enabling the use of social within a corporate
environment also has compliance and security implications.
Existing Financial Services Authority (FSA) rules still apply, and the regula-
tor has issued additional guidelines on the use of social over the last couple
years. There is of course other European legislation to be considered such
as MiFID and PCI. Moreover, all these different social media channels today
represent attractive avenues for hackers to unleash viruses and other types
of malware on unsuspecting users. So, although the benefits of social are
massive, organisations need to ensure they have the appropriate technology
solutions in place to address these compliance and security concerns.
Introduction
| Social Media Success5| TrueCompliance for Social Media4 True Compliance for Social Media | 5
Let’s take a closer look at the FSA’s guidelines. In its Financial Promotions
Industry Update No 5 the FSA noted that all electronic communications
shared via the internet should still be governed by High Level Standards
and Business Standards. Within these regulations there are two main areas
that need consideration when using social media.
Recordkeeping
SYSC 9.1 General rules on record-keeping states that “A firm must arrange
for orderly records to be kept of its business and internal organisation,
including all services and transactions undertaken by it, which must be
sufficient to enable the FSA or any other relevant competent authority under
MiFID to monitor the firm’s compliance with the requirements under the
regulatory system.” This includes content such as LinkedIn Profile edits,
Facebook posts, and Tweets are all subject to recordkeeping rules.
In addition, ICOBS 2.4, MCOB 3.10 and COBS 4.11 state that adequate
records of financial promotions must be kept. COBS 4.11.1 (1) specifically
says “it communicates or approves,” potentially implying that even unau-
thorised communication needs to be recorded.
Some specific facets of recordkeeping that firms must incorporate include
the following:
•Tamper-proofarchiving:Electronic records must be preserved exclusively
in a non-rewriteable and non-erasable format. This means that data must
be delivered to a customer’s archiving system in its original form.
ComplianceRequirementsforFinancialServices
•Guaranteedmessageorderpreservation:Given the interactive nature
of social media, retaining the context of blogs and their comments,
Facebook chat conversations, and LinkedIn Group discussions is vital.
Without context, firms face the daunting prospect of having to piece
together one conversation from a vast repository of data.
•Non-repudiation:This refers to proof of the integrity and origin of
data. With so many hackers and sophisticated schemes to deceive users,
data authenticity is a key consideration.
Supervision
FSA regulated firms should review items such as LinkedIn Profiles
and Facebook Profiles since they could be considered “advertisements”
subject to pre-approval by an authorized person.
Some specific facets of supervision that firms must incorporate include
the following:
•Real-timecontentreview: COBS 4.10.3 and MCOB 3.11.1 prohibits
unauthorised personnel from sending out financial promotions without
prior approval from the FSA registered firm. Under Update number 5
this includes Tweets, status updates and LinkedIn Posts.
•Monitoringoflinkstothird-partysites: Hyperlinks can be considered
inducements depending on the prominence and type of link eg clicking
on a logo. Links to third party sites are not normally considered a financial
promotion, unless there is an agreement between the two to procure users.
| TrueCompliance for Social Media6 True Compliance for Social Media | 7
So, what must firms do to properly address the requirements outline above?
The following are some key considerations:
Pre-reviewcertaincommunications
There are some aspects of social media sites that unequivocally require
pre-approval by an authorised person. For instance, a tweet that could be
deemed a financial promotion posted by an unauthorised person. Regarding
general tweets or Facebook posts, the FSA leaves it up to the individual firm
to decide its policy based on its risk-tolerance profile.
Feature access controls
Since some social media features may invoke the “inducement” or
“procurement” theories, controlling individual features, such as Facebook
Likes, LinkedIn Recommendations, or Twitter Retweets, becomes critical.
Being able to pick and choose the allowable features gives firms the
flexibility to enable the use of social without having to worry about the
“inducement” issue.
Trackinguseractivities
Establishing a complete audit trail of a user’s interaction with a given
social media site comes into play in both regulatory and legal inquiries.
For instance, say there’s a lawsuit involving the social media activities of
John Smith while he was at work on a corporate-owned device. Counsel for
both sides would be very interested in knowing what Smith was doing from
10am-11am while on Facebook. Did he upload any content? Did he delete
any content? What other areas (e.g., Photos, Groups, Discussion boards,
Chat) did he visit during that one hour? Did he post content to other sites
from Facebook? The user activity history thus becomes very relevant.
AddressingtheRequirements
Captureasmuchaspossible
The FSA and MiFID require firms to capture all business-related communi-
cations. With the proliferation of smartphones nowadays, it is essential for
firms to have policies and technology in place to accommodate the reality of
employees using personal devices for business-related communications.
Authenticityofdata
Firms must store social media content in tamper-proof repositories, such
that data integrity is not compromised. Message order preservation and
guaranteed delivery to the customer’s archive are two such ways to ensure
authenticity of data.
| Social Media Success9| TrueCompliance for Social Media8 True Compliance for Social Media | 9
PotentialTechnologySolutions
Solutions that enable compliance for social media generally take one of two
technology approaches: the API and the proxy.
TheAPI
Each social network (e.g., Facebook, LinkedIn, and Twitter) makes its API
available to third-party developers. Each API is a little bit different. For
instance, each social network allows calls to its API (“API calls”) only a
limited number of times per day. That number depends on several factors,
such as the number of employees at the company calling the API. It also
means that capture is NOT done in real-time.
In the period between each of these API calls, comments or posts on, say,
Facebook can be edited or deleted. These edits and deletions are just as
important as the initial posts themselves. Regulatory bodies like the FSA
are interested in the deleted content as much as the content that remains
unchanged. This period between API calls is that “window of vulnerability”
that opens the door to potential non-compliance, putting the firm at risk for
sanctions or other penalties.
TheProxy
This approach entails the routing of social media traffic through a technol-
ogy vendor’s solution, be it through proxy-forwarding rules or a proxy auto-
configuration (PAC) file. Either way, the technology vendor sees all the traffic
in real-time, as it happens. It offers the most granular controls available for
users on a corporate-managed device or network.
All user activities can be logged (e.g., a user’s entire Facebook session can
be captured with all the associated metadata) and archived. Pre-review capa-
bilities and blocking/allowing access to specific features of a social network
(e.g., Facebook Like, LinkedIn Recommendation, Twitter Retweet) are also
made possible with the proxy. Most importantly, a proxy eliminates the API’s
“window of vulnerability” due to the former’s real-time capture of data.
| Social Media Success11| TrueCompliance for Social Media10 True Compliance for Social Media | 11
Given the stringent requirements regulatory governance, firms must
leverage both approaches to ensure complete compliance. On their own,
the API and proxy are not enough to remain compliant. The best practice,
therefore, is to use BOTH, so that a firm can confidently meet all of its
compliance requirements (see table below).
Requirement Detail Example Proxy API
Supervision Pre-review LinkedIn Profile edits Yes No
Supervision Feature access controls Block Facebook Like Yes No
Recordkeeping Real-time capture of ALL content while on corporate-managed network or device
Archive all tweets, Facebook posts, LinkedIn updates done from a work laptop
Yes No
Recordkeeping Logging of user activities Track user movement from LinkedIn Homepage to join-ing LinkedIn Group to trying to make a Recommendation
Yes No
Recordkeeping Capture of content regard-less of device or location
Capture business-related tweet made from a personal iPhone
No Yes
Recordkeeping Automatic removal of inap-propriate content
Removal of offensive joke from company Facebook page
No Yes
TheBestPracticeSolution
Actiance is the only technology vendor in the market that utilizes both
the API and proxy methods to ensure its customers remain compliant.
In fact, Actiance is the only vendor offering TrueCompliance,TM
a collection of features that support the strictest requirements of
social media compliance:
•Tamper-proofarchiving
•Guaranteedpreservationofmessage/conversationorder(context)
•Guaranteeddatadeliverytocustomer’sarchivingsystem
•Guaranteednon-circumvention
•Real-timecontentfilteringwithadvancedpatternmatching,
blocking and scanning (supervision)
AboutActiance
| TrueCompliance for Social Media12
Worldwide Headquarters1301 Shoreway, Suite 275Belmont, CA 94002 USA(650) 631-6300 [email protected]
This document is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc.
© 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage, Unified Security Gateway, Socialite, TrueCompliance and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.
EMEA Headquarters400 Thames Valley ParkReading, Berkshire, RG6 1PT UK+44 (0) 118 963 7469 [email protected]