true compliance for social media

TrueCompliance™ for Social Media When”good enough” is not enough

It is no secret that social media within the financial services industry has

exploded over the last few years. The industry recognises that social media

is a powerful, cost-effective channel to reach new customers and strengthen

existing relationships. However, enabling the use of social within a corporate

environment also has compliance and security implications.

Existing Financial Services Authority (FSA) rules still apply, and the regula-

tor has issued additional guidelines on the use of social over the last couple

years. There is of course other European legislation to be considered such

as MiFID and PCI. Moreover, all these different social media channels today

represent attractive avenues for hackers to unleash viruses and other types

of malware on unsuspecting users. So, although the benefits of social are

massive, organisations need to ensure they have the appropriate technology

solutions in place to address these compliance and security concerns.

Introduction

| Social Media Success5| TrueCompliance for Social Media4 True Compliance for Social Media | 5

Let’s take a closer look at the FSA’s guidelines. In its Financial Promotions

Industry Update No 5 the FSA noted that all electronic communications

shared via the internet should still be governed by High Level Standards

and Business Standards. Within these regulations there are two main areas

that need consideration when using social media.

Recordkeeping

SYSC 9.1 General rules on record-keeping states that “A firm must arrange

for orderly records to be kept of its business and internal organisation,

including all services and transactions undertaken by it, which must be

sufficient to enable the FSA or any other relevant competent authority under

MiFID to monitor the firm’s compliance with the requirements under the

regulatory system.” This includes content such as LinkedIn Profile edits,

Facebook posts, and Tweets are all subject to recordkeeping rules.

In addition, ICOBS 2.4, MCOB 3.10 and COBS 4.11 state that adequate

records of financial promotions must be kept. COBS 4.11.1 (1) specifically

says “it communicates or approves,” potentially implying that even unau-

thorised communication needs to be recorded.

Some specific facets of recordkeeping that firms must incorporate include

the following:

•Tamper-proofarchiving:Electronic records must be preserved exclusively

in a non-rewriteable and non-erasable format. This means that data must

be delivered to a customer’s archiving system in its original form.

ComplianceRequirementsforFinancialServices

•Guaranteedmessageorderpreservation:Given the interactive nature

of social media, retaining the context of blogs and their comments,

Facebook chat conversations, and LinkedIn Group discussions is vital.

Without context, firms face the daunting prospect of having to piece

together one conversation from a vast repository of data.

•Non-repudiation:This refers to proof of the integrity and origin of

data. With so many hackers and sophisticated schemes to deceive users,

data authenticity is a key consideration.

Supervision

FSA regulated firms should review items such as LinkedIn Profiles

and Facebook Profiles since they could be considered “advertisements”

subject to pre-approval by an authorized person.

Some specific facets of supervision that firms must incorporate include

the following:

•Real-timecontentreview: COBS 4.10.3 and MCOB 3.11.1 prohibits

unauthorised personnel from sending out financial promotions without

prior approval from the FSA registered firm. Under Update number 5

this includes Tweets, status updates and LinkedIn Posts.

•Monitoringoflinkstothird-partysites: Hyperlinks can be considered

inducements depending on the prominence and type of link eg clicking

on a logo. Links to third party sites are not normally considered a financial

promotion, unless there is an agreement between the two to procure users.

| TrueCompliance for Social Media6 True Compliance for Social Media | 7

So, what must firms do to properly address the requirements outline above?

The following are some key considerations:

Pre-reviewcertaincommunications

There are some aspects of social media sites that unequivocally require

pre-approval by an authorised person. For instance, a tweet that could be

deemed a financial promotion posted by an unauthorised person. Regarding

general tweets or Facebook posts, the FSA leaves it up to the individual firm

to decide its policy based on its risk-tolerance profile.

Feature access controls

Since some social media features may invoke the “inducement” or

“procurement” theories, controlling individual features, such as Facebook

Likes, LinkedIn Recommendations, or Twitter Retweets, becomes critical.

Being able to pick and choose the allowable features gives firms the

flexibility to enable the use of social without having to worry about the

“inducement” issue.

Trackinguseractivities

Establishing a complete audit trail of a user’s interaction with a given

social media site comes into play in both regulatory and legal inquiries.

For instance, say there’s a lawsuit involving the social media activities of

John Smith while he was at work on a corporate-owned device. Counsel for

both sides would be very interested in knowing what Smith was doing from

10am-11am while on Facebook. Did he upload any content? Did he delete

any content? What other areas (e.g., Photos, Groups, Discussion boards,

Chat) did he visit during that one hour? Did he post content to other sites

from Facebook? The user activity history thus becomes very relevant.

AddressingtheRequirements

Captureasmuchaspossible

The FSA and MiFID require firms to capture all business-related communi-

cations. With the proliferation of smartphones nowadays, it is essential for

firms to have policies and technology in place to accommodate the reality of

employees using personal devices for business-related communications.

Authenticityofdata

Firms must store social media content in tamper-proof repositories, such

that data integrity is not compromised. Message order preservation and

guaranteed delivery to the customer’s archive are two such ways to ensure

authenticity of data.


PotentialTechnologySolutions

Solutions that enable compliance for social media generally take one of two

technology approaches: the API and the proxy.

TheAPI

Each social network (e.g., Facebook, LinkedIn, and Twitter) makes its API

available to third-party developers. Each API is a little bit different. For

instance, each social network allows calls to its API (“API calls”) only a

limited number of times per day. That number depends on several factors,

such as the number of employees at the company calling the API. It also

means that capture is NOT done in real-time.

In the period between each of these API calls, comments or posts on, say,

Facebook can be edited or deleted. These edits and deletions are just as

important as the initial posts themselves. Regulatory bodies like the FSA

are interested in the deleted content as much as the content that remains

unchanged. This period between API calls is that “window of vulnerability”

that opens the door to potential non-compliance, putting the firm at risk for

sanctions or other penalties.

TheProxy

This approach entails the routing of social media traffic through a technol-

ogy vendor’s solution, be it through proxy-forwarding rules or a proxy auto-

configuration (PAC) file. Either way, the technology vendor sees all the traffic

in real-time, as it happens. It offers the most granular controls available for

users on a corporate-managed device or network.

All user activities can be logged (e.g., a user’s entire Facebook session can

be captured with all the associated metadata) and archived. Pre-review capa-

bilities and blocking/allowing access to specific features of a social network

(e.g., Facebook Like, LinkedIn Recommendation, Twitter Retweet) are also

made possible with the proxy. Most importantly, a proxy eliminates the API’s

“window of vulnerability” due to the former’s real-time capture of data.


Given the stringent requirements regulatory governance, firms must

leverage both approaches to ensure complete compliance. On their own,

the API and proxy are not enough to remain compliant. The best practice,

therefore, is to use BOTH, so that a firm can confidently meet all of its

compliance requirements (see table below).

Requirement Detail Example Proxy API

Supervision Pre-review LinkedIn Profile edits Yes No

Supervision Feature access controls Block Facebook Like Yes No

Recordkeeping Real-time capture of ALL content while on corporate-managed network or device

Archive all tweets, Facebook posts, LinkedIn updates done from a work laptop

Yes No

Recordkeeping Logging of user activities Track user movement from LinkedIn Homepage to join-ing LinkedIn Group to trying to make a Recommendation

Yes No

Recordkeeping Capture of content regard-less of device or location

Capture business-related tweet made from a personal iPhone

No Yes

Recordkeeping Automatic removal of inap-propriate content

Removal of offensive joke from company Facebook page

No Yes

TheBestPracticeSolution

Actiance is the only technology vendor in the market that utilizes both

the API and proxy methods to ensure its customers remain compliant.

In fact, Actiance is the only vendor offering TrueCompliance,TM

a collection of features that support the strictest requirements of

social media compliance:

•Tamper-proofarchiving

•Guaranteedpreservationofmessage/conversationorder(context)

•Guaranteeddatadeliverytocustomer’sarchivingsystem

•Guaranteednon-circumvention

•Real-timecontentfilteringwithadvancedpatternmatching,

blocking and scanning (supervision)

AboutActiance

| TrueCompliance for Social Media12

Worldwide Headquarters1301 Shoreway, Suite 275Belmont, CA 94002 USA(650) 631-6300 [email protected]

This document is for informational purposes only. Actiance makes no warranties, express or implied, in this document. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Actiance, Inc.

© 2001 - 2012 Actiance, Inc. All rights reserved. Actiance and the Actiance logo are registered trademarks of Actiance, Inc. Actiance Vantage, Unified Security Gateway, Socialite, TrueCompliance and Insight are trademarks of Actiance, Inc. All other trademarks are the property of their respective owners.

EMEA Headquarters400 Thames Valley ParkReading, Berkshire, RG6 1PT UK+44 (0) 118 963 7469 [email protected]